Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2024 00:42

General

  • Target

    0BzMzlmT.exe

  • Size

    27.9MB

  • MD5

    34e055a67b10a1a14994b6b3457698e2

  • SHA1

    6b299dca56f55a0656b23fd035f4353dc049343a

  • SHA256

    01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09

  • SHA512

    8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218

  • SSDEEP

    786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3

Malware Config

Signatures

  • Deletes NTFS Change Journal 2 TTPs 64 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Stops running service(s) 4 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Boot or Logon Autostart Execution: Time Providers 1 TTPs 33 IoCs

    The Windows Time service (W32Time) enables time synchronization across and within domains.

  • Drops file in Windows directory 64 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 64 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Launches sc.exe 64 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Time Discovery 1 TTPs 6 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

  • Checks SCSI registry key(s) 3 TTPs 25 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe
    "C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe.bak' -force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\SYSTEM32\net.exe
      net stop w32time
      2⤵
      • System Time Discovery
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop w32time
        3⤵
        • System Time Discovery
        PID:4692
    • C:\Windows\SYSTEM32\w32tm.exe
      w32tm /unregister
      2⤵
        PID:968
      • C:\Windows\SYSTEM32\w32tm.exe
        w32tm /register
        2⤵
        • Server Software Component: Terminal Services DLL
        • Boot or Logon Autostart Execution: Time Providers
        PID:1452
      • C:\Windows\SYSTEM32\net.exe
        net start w32time
        2⤵
        • System Time Discovery
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 start w32time
          3⤵
          • System Time Discovery
          PID:3164
      • C:\Windows\System32\Wbem\wmic.exe
        wmic cpu get VirtualizationFirmwareEnabled
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5012
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "$env:firmware_type"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1540
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "confirm-securebootuefi"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1320
      • C:\Windows\SYSTEM32\fsutil.exe
        fsutil behavior set disablelastaccess 1
        2⤵
          PID:3728
        • C:\Windows\SYSTEM32\w32tm.exe
          w32tm /resync /force
          2⤵
            PID:3368
          • C:\Windows\SYSTEM32\sc.exe
            sc stop "PcaSvc"
            2⤵
            • Launches sc.exe
            PID:4936
          • C:\Windows\SYSTEM32\sc.exe
            sc config "PcaSvc" start=disabled
            2⤵
              PID:8
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
              2⤵
              • Drops file in Windows directory
              • Hide Artifacts: Ignore Process Interrupts
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4812
            • C:\Windows\SYSTEM32\net.exe
              net stop w32time
              2⤵
              • System Time Discovery
              • Suspicious use of WriteProcessMemory
              PID:2872
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop w32time
                3⤵
                • System Time Discovery
                PID:4064
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
              2⤵
              • Hide Artifacts: Ignore Process Interrupts
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1380
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4372
            • C:\Windows\SYSTEM32\fsutil.exe
              fsutil usn deletejournal /d C:
              2⤵
              • Deletes NTFS Change Journal
              PID:3916
            • C:\Windows\SYSTEM32\fsutil.exe
              fsutil usn deletejournal /d D:
              2⤵
              • Deletes NTFS Change Journal
              • Enumerates connected drives
              PID:3532
            • C:\Windows\SYSTEM32\fsutil.exe
              fsutil usn deletejournal /d F:
              2⤵
              • Deletes NTFS Change Journal
              • Enumerates connected drives
              PID:840
            • C:\Windows\SYSTEM32\sc.exe
              sc stop "SysMain"
              2⤵
                PID:3960
              • C:\Windows\SYSTEM32\sc.exe
                sc config "SysMain" start=disabled
                2⤵
                  PID:1276
                • C:\Windows\SYSTEM32\sc.exe
                  sc stop "SuperFetch"
                  2⤵
                    PID:4628
                  • C:\Windows\SYSTEM32\sc.exe
                    sc config "SuperFetch" start=disabled
                    2⤵
                    • Launches sc.exe
                    PID:4240
                  • C:\Windows\SYSTEM32\fsutil.exe
                    fsutil behavior set disablelastaccess 1
                    2⤵
                      PID:3664
                    • C:\Windows\SYSTEM32\sc.exe
                      sc stop "PcaSvc"
                      2⤵
                        PID:3992
                      • C:\Windows\SYSTEM32\sc.exe
                        sc config "PcaSvc" start=disabled
                        2⤵
                        • Launches sc.exe
                        PID:3132
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                        2⤵
                        • Hide Artifacts: Ignore Process Interrupts
                        PID:4604
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                        2⤵
                        • Hide Artifacts: Ignore Process Interrupts
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:220
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                        2⤵
                        • Hide Artifacts: Ignore Process Interrupts
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:668
                      • C:\Windows\SYSTEM32\fsutil.exe
                        fsutil usn deletejournal /d C:
                        2⤵
                        • Deletes NTFS Change Journal
                        PID:2304
                      • C:\Windows\SYSTEM32\fsutil.exe
                        fsutil usn deletejournal /d D:
                        2⤵
                        • Deletes NTFS Change Journal
                        • Enumerates connected drives
                        PID:1912
                      • C:\Windows\SYSTEM32\fsutil.exe
                        fsutil usn deletejournal /d F:
                        2⤵
                        • Deletes NTFS Change Journal
                        • Enumerates connected drives
                        PID:4620
                      • C:\Windows\SYSTEM32\sc.exe
                        sc stop "SysMain"
                        2⤵
                        • Launches sc.exe
                        PID:2424
                      • C:\Windows\SYSTEM32\sc.exe
                        sc config "SysMain" start=disabled
                        2⤵
                          PID:1176
                        • C:\Windows\SYSTEM32\sc.exe
                          sc stop "SuperFetch"
                          2⤵
                            PID:4940
                          • C:\Windows\SYSTEM32\sc.exe
                            sc config "SuperFetch" start=disabled
                            2⤵
                              PID:3440
                            • C:\Windows\SYSTEM32\fsutil.exe
                              fsutil behavior set disablelastaccess 1
                              2⤵
                                PID:4148
                              • C:\Windows\SYSTEM32\sc.exe
                                sc stop "PcaSvc"
                                2⤵
                                • Launches sc.exe
                                PID:5040
                              • C:\Windows\SYSTEM32\sc.exe
                                sc config "PcaSvc" start=disabled
                                2⤵
                                • Launches sc.exe
                                PID:4272
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                2⤵
                                • Hide Artifacts: Ignore Process Interrupts
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1240
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                2⤵
                                • Hide Artifacts: Ignore Process Interrupts
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1384
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                2⤵
                                • Hide Artifacts: Ignore Process Interrupts
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1036
                              • C:\Windows\SYSTEM32\fsutil.exe
                                fsutil usn deletejournal /d C:
                                2⤵
                                • Deletes NTFS Change Journal
                                PID:4296
                              • C:\Windows\SYSTEM32\fsutil.exe
                                fsutil usn deletejournal /d D:
                                2⤵
                                • Deletes NTFS Change Journal
                                • Enumerates connected drives
                                PID:1320
                              • C:\Windows\SYSTEM32\fsutil.exe
                                fsutil usn deletejournal /d F:
                                2⤵
                                • Deletes NTFS Change Journal
                                • Enumerates connected drives
                                PID:1176
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c reagentc /enable
                                2⤵
                                  PID:2028
                                  • C:\Windows\system32\ReAgentc.exe
                                    reagentc /enable
                                    3⤵
                                    • Drops file in System32 directory
                                    • Drops file in Windows directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2040
                                • C:\Windows\SYSTEM32\sc.exe
                                  sc stop "SysMain"
                                  2⤵
                                    PID:3440
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc config "SysMain" start=disabled
                                    2⤵
                                      PID:2376
                                    • C:\Windows\SYSTEM32\sc.exe
                                      sc stop "SuperFetch"
                                      2⤵
                                        PID:5024
                                      • C:\Windows\SYSTEM32\sc.exe
                                        sc config "SuperFetch" start=disabled
                                        2⤵
                                          PID:4872
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c mbr2gpt /convert /allowFullOS
                                          2⤵
                                            PID:3132
                                            • C:\Windows\system32\MBR2GPT.EXE
                                              mbr2gpt /convert /allowFullOS
                                              3⤵
                                              • Enumerates connected drives
                                              • Writes to the Master Boot Record (MBR)
                                              PID:2592
                                          • C:\Windows\SYSTEM32\fsutil.exe
                                            fsutil behavior set disablelastaccess 1
                                            2⤵
                                              PID:3952
                                            • C:\Windows\SYSTEM32\sc.exe
                                              sc stop "PcaSvc"
                                              2⤵
                                                PID:1896
                                              • C:\Windows\SYSTEM32\sc.exe
                                                sc config "PcaSvc" start=disabled
                                                2⤵
                                                  PID:3872
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                  2⤵
                                                  • Hide Artifacts: Ignore Process Interrupts
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:2352
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:1516
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                  2⤵
                                                  • Hide Artifacts: Ignore Process Interrupts
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:2376
                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                  fsutil usn deletejournal /d C:
                                                  2⤵
                                                    PID:4812
                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                    fsutil usn deletejournal /d D:
                                                    2⤵
                                                    • Deletes NTFS Change Journal
                                                    • Enumerates connected drives
                                                    PID:3172
                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                    fsutil usn deletejournal /d F:
                                                    2⤵
                                                    • Deletes NTFS Change Journal
                                                    • Enumerates connected drives
                                                    PID:2628
                                                  • C:\Windows\SYSTEM32\sc.exe
                                                    sc stop "SysMain"
                                                    2⤵
                                                      PID:3532
                                                    • C:\Windows\SYSTEM32\sc.exe
                                                      sc config "SysMain" start=disabled
                                                      2⤵
                                                        PID:4280
                                                      • C:\Windows\SYSTEM32\sc.exe
                                                        sc stop "SuperFetch"
                                                        2⤵
                                                          PID:2472
                                                        • C:\Windows\SYSTEM32\sc.exe
                                                          sc config "SuperFetch" start=disabled
                                                          2⤵
                                                            PID:3872
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c pause
                                                            2⤵
                                                              PID:116
                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                              fsutil behavior set disablelastaccess 1
                                                              2⤵
                                                                PID:2728
                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                sc stop "PcaSvc"
                                                                2⤵
                                                                  PID:1904
                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                  sc config "PcaSvc" start=disabled
                                                                  2⤵
                                                                    PID:1912
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                    2⤵
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:3852
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                    2⤵
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:2480
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                    2⤵
                                                                    • Hide Artifacts: Ignore Process Interrupts
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:2776
                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                    fsutil usn deletejournal /d C:
                                                                    2⤵
                                                                      PID:2028
                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                      fsutil usn deletejournal /d D:
                                                                      2⤵
                                                                        PID:1828
                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                        fsutil usn deletejournal /d F:
                                                                        2⤵
                                                                        • Deletes NTFS Change Journal
                                                                        • Enumerates connected drives
                                                                        PID:1832
                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                        sc stop "SysMain"
                                                                        2⤵
                                                                          PID:4804
                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                          sc config "SysMain" start=disabled
                                                                          2⤵
                                                                          • Launches sc.exe
                                                                          PID:3688
                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                          sc stop "SuperFetch"
                                                                          2⤵
                                                                            PID:5020
                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                            sc config "SuperFetch" start=disabled
                                                                            2⤵
                                                                              PID:1572
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.diskpart.com/features/convert-mbr-gpt.html
                                                                              2⤵
                                                                              • Enumerates system info in registry
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                              • Suspicious use of FindShellTrayWindow
                                                                              • Suspicious use of SendNotifyMessage
                                                                              PID:2028
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd65c046f8,0x7ffd65c04708,0x7ffd65c04718
                                                                                3⤵
                                                                                  PID:1540
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
                                                                                  3⤵
                                                                                    PID:3892
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
                                                                                    3⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:3608
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
                                                                                    3⤵
                                                                                      PID:4928
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
                                                                                      3⤵
                                                                                        PID:5084
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
                                                                                        3⤵
                                                                                          PID:3300
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
                                                                                          3⤵
                                                                                            PID:5792
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
                                                                                            3⤵
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:5988
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
                                                                                            3⤵
                                                                                              PID:4336
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
                                                                                              3⤵
                                                                                                PID:2152
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
                                                                                                3⤵
                                                                                                  PID:1368
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
                                                                                                  3⤵
                                                                                                    PID:5836
                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                  fsutil behavior set disablelastaccess 1
                                                                                                  2⤵
                                                                                                    PID:3440
                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                    sc stop "PcaSvc"
                                                                                                    2⤵
                                                                                                    • Launches sc.exe
                                                                                                    PID:5144
                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                    sc config "PcaSvc" start=disabled
                                                                                                    2⤵
                                                                                                    • Launches sc.exe
                                                                                                    PID:5268
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                    2⤵
                                                                                                    • Hide Artifacts: Ignore Process Interrupts
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    PID:5348
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                    2⤵
                                                                                                    • Hide Artifacts: Ignore Process Interrupts
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    PID:5700
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                    2⤵
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    PID:6024
                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                    fsutil usn deletejournal /d C:
                                                                                                    2⤵
                                                                                                    • Deletes NTFS Change Journal
                                                                                                    PID:5144
                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                    fsutil usn deletejournal /d D:
                                                                                                    2⤵
                                                                                                    • Enumerates connected drives
                                                                                                    PID:5284
                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                    fsutil usn deletejournal /d F:
                                                                                                    2⤵
                                                                                                    • Enumerates connected drives
                                                                                                    PID:5448
                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                    sc stop "SysMain"
                                                                                                    2⤵
                                                                                                      PID:5596
                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                      sc config "SysMain" start=disabled
                                                                                                      2⤵
                                                                                                      • Launches sc.exe
                                                                                                      PID:5684
                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                      sc stop "SuperFetch"
                                                                                                      2⤵
                                                                                                        PID:4572
                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                        sc config "SuperFetch" start=disabled
                                                                                                        2⤵
                                                                                                        • Launches sc.exe
                                                                                                        PID:5544
                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                        fsutil behavior set disablelastaccess 1
                                                                                                        2⤵
                                                                                                          PID:744
                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                          sc stop "PcaSvc"
                                                                                                          2⤵
                                                                                                            PID:5176
                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                            sc config "PcaSvc" start=disabled
                                                                                                            2⤵
                                                                                                              PID:6096
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                              2⤵
                                                                                                                PID:6072
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                2⤵
                                                                                                                  PID:5448
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                  2⤵
                                                                                                                    PID:5548
                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                    fsutil usn deletejournal /d C:
                                                                                                                    2⤵
                                                                                                                    • Deletes NTFS Change Journal
                                                                                                                    PID:5820
                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                    fsutil usn deletejournal /d D:
                                                                                                                    2⤵
                                                                                                                    • Deletes NTFS Change Journal
                                                                                                                    • Enumerates connected drives
                                                                                                                    PID:1676
                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                    fsutil usn deletejournal /d F:
                                                                                                                    2⤵
                                                                                                                    • Deletes NTFS Change Journal
                                                                                                                    • Enumerates connected drives
                                                                                                                    PID:5160
                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                    sc stop "SysMain"
                                                                                                                    2⤵
                                                                                                                    • Launches sc.exe
                                                                                                                    PID:6076
                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                    sc config "SysMain" start=disabled
                                                                                                                    2⤵
                                                                                                                      PID:5244
                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                      sc stop "SuperFetch"
                                                                                                                      2⤵
                                                                                                                        PID:5320
                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                        sc config "SuperFetch" start=disabled
                                                                                                                        2⤵
                                                                                                                          PID:5552
                                                                                                                        • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                          fsutil behavior set disablelastaccess 1
                                                                                                                          2⤵
                                                                                                                            PID:5432
                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                            sc stop "PcaSvc"
                                                                                                                            2⤵
                                                                                                                            • Launches sc.exe
                                                                                                                            PID:5572
                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                            sc config "PcaSvc" start=disabled
                                                                                                                            2⤵
                                                                                                                              PID:5576
                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                              2⤵
                                                                                                                                PID:5156
                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                2⤵
                                                                                                                                • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                PID:5264
                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                2⤵
                                                                                                                                  PID:6080
                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                  fsutil usn deletejournal /d C:
                                                                                                                                  2⤵
                                                                                                                                  • Deletes NTFS Change Journal
                                                                                                                                  PID:5496
                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                  fsutil usn deletejournal /d D:
                                                                                                                                  2⤵
                                                                                                                                  • Deletes NTFS Change Journal
                                                                                                                                  • Enumerates connected drives
                                                                                                                                  PID:6024
                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                  fsutil usn deletejournal /d F:
                                                                                                                                  2⤵
                                                                                                                                  • Enumerates connected drives
                                                                                                                                  PID:4748
                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                  sc stop "SysMain"
                                                                                                                                  2⤵
                                                                                                                                    PID:3136
                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                    sc config "SysMain" start=disabled
                                                                                                                                    2⤵
                                                                                                                                    • Launches sc.exe
                                                                                                                                    PID:5596
                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                    sc stop "SuperFetch"
                                                                                                                                    2⤵
                                                                                                                                    • Launches sc.exe
                                                                                                                                    PID:5692
                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                    sc config "SuperFetch" start=disabled
                                                                                                                                    2⤵
                                                                                                                                    • Launches sc.exe
                                                                                                                                    PID:5564
                                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                    fsutil behavior set disablelastaccess 1
                                                                                                                                    2⤵
                                                                                                                                      PID:6080
                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                      sc stop "PcaSvc"
                                                                                                                                      2⤵
                                                                                                                                        PID:5400
                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                        sc config "PcaSvc" start=disabled
                                                                                                                                        2⤵
                                                                                                                                          PID:5424
                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                          2⤵
                                                                                                                                            PID:4796
                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                            2⤵
                                                                                                                                            • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                            PID:5368
                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                            2⤵
                                                                                                                                            • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                            PID:6012
                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                            fsutil usn deletejournal /d C:
                                                                                                                                            2⤵
                                                                                                                                              PID:5288
                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                              fsutil usn deletejournal /d D:
                                                                                                                                              2⤵
                                                                                                                                              • Enumerates connected drives
                                                                                                                                              PID:5144
                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                              fsutil usn deletejournal /d F:
                                                                                                                                              2⤵
                                                                                                                                              • Deletes NTFS Change Journal
                                                                                                                                              • Enumerates connected drives
                                                                                                                                              PID:5688
                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                              sc stop "SysMain"
                                                                                                                                              2⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:3868
                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                              sc config "SysMain" start=disabled
                                                                                                                                              2⤵
                                                                                                                                              • Launches sc.exe
                                                                                                                                              PID:5388
                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                              sc stop "SuperFetch"
                                                                                                                                              2⤵
                                                                                                                                                PID:5632
                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                sc config "SuperFetch" start=disabled
                                                                                                                                                2⤵
                                                                                                                                                  PID:5864
                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                  fsutil behavior set disablelastaccess 1
                                                                                                                                                  2⤵
                                                                                                                                                    PID:640
                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                    sc stop "PcaSvc"
                                                                                                                                                    2⤵
                                                                                                                                                    • Launches sc.exe
                                                                                                                                                    PID:184
                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                    sc config "PcaSvc" start=disabled
                                                                                                                                                    2⤵
                                                                                                                                                      PID:6092
                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                      2⤵
                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                      PID:4336
                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:5304
                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                        2⤵
                                                                                                                                                        • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                        PID:5356
                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                        fsutil usn deletejournal /d C:
                                                                                                                                                        2⤵
                                                                                                                                                        • Deletes NTFS Change Journal
                                                                                                                                                        PID:5264
                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                        fsutil usn deletejournal /d D:
                                                                                                                                                        2⤵
                                                                                                                                                        • Deletes NTFS Change Journal
                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                        PID:640
                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                        fsutil usn deletejournal /d F:
                                                                                                                                                        2⤵
                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                        PID:5984
                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                        sc stop "SysMain"
                                                                                                                                                        2⤵
                                                                                                                                                          PID:6044
                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                          sc config "SysMain" start=disabled
                                                                                                                                                          2⤵
                                                                                                                                                            PID:5128
                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                            sc stop "SuperFetch"
                                                                                                                                                            2⤵
                                                                                                                                                            • Launches sc.exe
                                                                                                                                                            PID:5588
                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                            sc config "SuperFetch" start=disabled
                                                                                                                                                            2⤵
                                                                                                                                                              PID:840
                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                              fsutil behavior set disablelastaccess 1
                                                                                                                                                              2⤵
                                                                                                                                                                PID:5380
                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                sc stop "PcaSvc"
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:5572
                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                  sc config "PcaSvc" start=disabled
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:4796
                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:5240
                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                      PID:6092
                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                      PID:5760
                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                      fsutil usn deletejournal /d C:
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Deletes NTFS Change Journal
                                                                                                                                                                      PID:5428
                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                      fsutil usn deletejournal /d D:
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Deletes NTFS Change Journal
                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                      PID:5412
                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                      fsutil usn deletejournal /d F:
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Deletes NTFS Change Journal
                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                      PID:5608
                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                      sc stop "SysMain"
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:5568
                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                        sc config "SysMain" start=disabled
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:6116
                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                          sc stop "SuperFetch"
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:2152
                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                            sc config "SuperFetch" start=disabled
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:6080
                                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                              fsutil behavior set disablelastaccess 1
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:5496
                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                sc stop "PcaSvc"
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:2300
                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                  sc config "PcaSvc" start=disabled
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                  PID:5540
                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                  PID:5596
                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                  PID:5196
                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                  PID:6060
                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                  fsutil usn deletejournal /d C:
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:4120
                                                                                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                    fsutil usn deletejournal /d D:
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Deletes NTFS Change Journal
                                                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                                                    PID:5496
                                                                                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                    fsutil usn deletejournal /d F:
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                                                    PID:5688
                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                    sc stop "SysMain"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                    PID:5360
                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                    sc config "SysMain" start=disabled
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:4948
                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                      sc stop "SuperFetch"
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:5468
                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                        sc config "SuperFetch" start=disabled
                                                                                                                                                                                        2⤵
                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                        PID:5296
                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                        fsutil behavior set disablelastaccess 1
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:3440
                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                          sc stop "PcaSvc"
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:6044
                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                            sc config "PcaSvc" start=disabled
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                            PID:5724
                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                            PID:6008
                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                            PID:5540
                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                            PID:5276
                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                            fsutil usn deletejournal /d C:
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Deletes NTFS Change Journal
                                                                                                                                                                                            PID:4692
                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                            fsutil usn deletejournal /d D:
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                                            PID:5692
                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                            fsutil usn deletejournal /d F:
                                                                                                                                                                                            2⤵
                                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                                            PID:1292
                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                            sc stop "SysMain"
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:5752
                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                              sc config "SysMain" start=disabled
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                              PID:6060
                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                              sc stop "SuperFetch"
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                              PID:5680
                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                              sc config "SuperFetch" start=disabled
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                              PID:5520
                                                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                              fsutil behavior set disablelastaccess 1
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:5688
                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                sc stop "PcaSvc"
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                PID:5360
                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                sc config "PcaSvc" start=disabled
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:6128
                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:2728
                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:1084
                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                      PID:4260
                                                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                      fsutil usn deletejournal /d C:
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:1448
                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                        fsutil usn deletejournal /d D:
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Deletes NTFS Change Journal
                                                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                                                        PID:6008
                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                        fsutil usn deletejournal /d F:
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Deletes NTFS Change Journal
                                                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                                                        PID:5352
                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                        sc stop "SysMain"
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:5780
                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                          sc config "SysMain" start=disabled
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                          PID:5940
                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                          sc stop "SuperFetch"
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:5712
                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                            sc config "SuperFetch" start=disabled
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                            PID:5176
                                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                            fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:4996
                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                              sc stop "PcaSvc"
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:5296
                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                PID:5468
                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                PID:6052
                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                PID:6044
                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:5724
                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                  fsutil usn deletejournal /d C:
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Deletes NTFS Change Journal
                                                                                                                                                                                                                  PID:5152
                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                  fsutil usn deletejournal /d D:
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Deletes NTFS Change Journal
                                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                                  PID:5996
                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                  fsutil usn deletejournal /d F:
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Deletes NTFS Change Journal
                                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                                  PID:5780
                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                  sc stop "SysMain"
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:5948
                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                    sc config "SysMain" start=disabled
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:4948
                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                      sc stop "SuperFetch"
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:4508
                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                        sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:1724
                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                          fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:5684
                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                            sc stop "PcaSvc"
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                            PID:1068
                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                            sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:5696
                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:4680
                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:5384
                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                  PID:2228
                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                  fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Deletes NTFS Change Journal
                                                                                                                                                                                                                                  PID:2300
                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                  fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Deletes NTFS Change Journal
                                                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                                                  PID:5564
                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                  fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Deletes NTFS Change Journal
                                                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                                                  PID:5352
                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                  sc stop "SysMain"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:1944
                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                    sc config "SysMain" start=disabled
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                    PID:5884
                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                    sc stop "SuperFetch"
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:4948
                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                      sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:5852
                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                        fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:4876
                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                          sc stop "PcaSvc"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:3812
                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                            sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:624
                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                              • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                              PID:4044
                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                              • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                              PID:2796
                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                              • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                              PID:4952
                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                              fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                              • Deletes NTFS Change Journal
                                                                                                                                                                                                                                              PID:5188
                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                              fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                              • Deletes NTFS Change Journal
                                                                                                                                                                                                                                              • Enumerates connected drives
                                                                                                                                                                                                                                              PID:4216
                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                              fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                              • Deletes NTFS Change Journal
                                                                                                                                                                                                                                              • Enumerates connected drives
                                                                                                                                                                                                                                              PID:5864
                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                              sc stop "SysMain"
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:6080
                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                PID:5012
                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                sc stop "SuperFetch"
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:1892
                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                  sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:5940
                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                    fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:5824
                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                      sc stop "PcaSvc"
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:5888
                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                        sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:628
                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                          • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                          PID:1964
                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                          • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                          PID:4996
                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                          powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:5276
                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                            fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                            PID:4220
                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                            fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                                                                                                            PID:5348
                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                            fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                                                                                                            PID:6060
                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                            sc stop "SysMain"
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:4924
                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                              sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:5692
                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                sc stop "SuperFetch"
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                                PID:6116
                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:5768
                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                  fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:1996
                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                    sc stop "PcaSvc"
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                                                    PID:5040
                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                    sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:2372
                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:412
                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                        powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                        PID:5976
                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                        powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                        PID:2088
                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                        fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                        PID:5660
                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                        fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                                                                                                                        PID:6128
                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                        fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                                                                                                                        PID:5416
                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                        sc stop "SysMain"
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                                        PID:3424
                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                        sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:2656
                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                          sc stop "SuperFetch"
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                                                          PID:5276
                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                          sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                                                          PID:4220
                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                          fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:5356
                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                            sc stop "PcaSvc"
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                                            PID:5448
                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                            sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:5260
                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                              powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                              • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                              PID:1676
                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                              powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                              • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                              PID:5964
                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                              powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                PID:1892
                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                PID:5292
                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                • Enumerates connected drives
                                                                                                                                                                                                                                                                                PID:5976
                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                • Enumerates connected drives
                                                                                                                                                                                                                                                                                PID:1324
                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                sc stop "SysMain"
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:5476
                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                  sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                                                                                  PID:5400
                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                  sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                    PID:5544
                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                    sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                                                                    PID:6040
                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                    fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:1036
                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                      sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:6124
                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                        sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:5248
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                          powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                          PID:4896
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                          powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                          PID:1480
                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                          powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                          PID:5968
                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                          fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                          PID:3656
                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                          fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                                                                                                          PID:5632
                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                          fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                                                                                                          PID:5544
                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                          sc stop "SysMain"
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:1384
                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                            sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:5844
                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                              sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:5140
                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:2120
                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                  fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:5656
                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                    sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:5352
                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                      sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                                                      PID:5860
                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                      PID:4188
                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                      PID:5004
                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                      PID:2384
                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                      fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                      • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                      PID:6084
                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                      fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                      • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                      PID:536
                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                      fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                      PID:3504
                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                      sc stop "SysMain"
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:3740
                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                        sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                          PID:5020
                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                          sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                            PID:5252
                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                            sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                              PID:6028
                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                              fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:5276
                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                  PID:5388
                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                  sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                    PID:3996
                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:2472
                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                        PID:5964
                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                        powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                        PID:1928
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                        fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                        PID:1500
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                        fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                        PID:3168
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                        fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                        PID:4520
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                        sc stop "SysMain"
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:4876
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                          sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                                                                                                          PID:6084
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                          sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                            PID:536
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                            sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                              PID:5368
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                              fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:4228
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                PID:2120
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                  PID:5328
                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                  • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                  PID:6080
                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                    PID:3780
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                    • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                    PID:1400
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                    fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                      PID:872
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                      fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                      PID:3136
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                      fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                      • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                      PID:4208
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                      sc stop "SysMain"
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                        PID:5576
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                        sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                          PID:1904
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                          sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                            PID:5976
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                            sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                            PID:5400
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                            fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                              PID:6024
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                              sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                PID:3280
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                PID:3504
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                  PID:3908
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                  PID:5692
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                  PID:5680
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                  fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                  PID:5700
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                  fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                  PID:5768
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                  fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                  PID:4896
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                  sc stop "SysMain"
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2988
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                    sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                    PID:6132
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                    sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                      PID:5360
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                      sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                        PID:5884
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                        fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                          PID:4948
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                          sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                            PID:1904
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                            sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                              PID:3168
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                              powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                              • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                              PID:3656
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                              powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                              • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                              PID:3280
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                              powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                              • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                              PID:1868
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                              fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                              • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                              PID:5580
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                              fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                              • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                              PID:640
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                              fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                              • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                              PID:5604
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                              sc stop "SysMain"
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                PID:6088
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                PID:2656
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                PID:5668
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:3284
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                  fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:1648
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                    sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:5860
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                      sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                      PID:4412
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:3812
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                        powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                                        PID:1788
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                        powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                                        PID:4712
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                        fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:3932
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                          fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                          PID:556
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                          fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                          PID:400
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                          sc stop "SysMain"
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:5164
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                            sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:4952
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                              sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                              PID:3452
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                              sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:3084
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:5680
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                  sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:5392
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                    sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:5436
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                                                      PID:840
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                                                      PID:5192
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                                                      PID:4796
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                      fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:4260
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                        fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                        PID:4200
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                        fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                        PID:2596
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                        sc stop "SysMain"
                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:3504
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                          sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:3340
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                            sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:1036
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                              sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:4180
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:5440
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                  sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                  PID:5604
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                  sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:3928
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:4416
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                                                                      PID:2472
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:1648
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                        fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:1552
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                          fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                          PID:3428
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                          fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                          PID:5976
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                          sc stop "SysMain"
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                          PID:1384
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                          sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                          PID:4776
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                          sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:5744
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                            sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:5316
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                              fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4544
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1996
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1732
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2304
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1624
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6104
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5212
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:6008
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:712
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      sc stop "SysMain"
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4880
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:412
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2940
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1928
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1904
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4572
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5764
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:556
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3584
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1356
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1932
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4240
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    sc stop "SysMain"
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:4564
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5940
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3452
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5040
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5676
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:712
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        sc config "PcaSvc" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5360
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4188
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4772
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Hide Artifacts: Ignore Process Interrupts
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5456
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            fsutil usn deletejournal /d C:
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3756
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            fsutil usn deletejournal /d D:
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4712
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            fsutil usn deletejournal /d F:
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Deletes NTFS Change Journal
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5764
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            sc stop "SysMain"
                                                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1972
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              sc config "SysMain" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1868
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              sc stop "SuperFetch"
                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5752
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              sc config "SuperFetch" start=disabled
                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4488
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SYSTEM32\fsutil.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                fsutil behavior set disablelastaccess 1
                                                                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3336
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SYSTEM32\sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  sc stop "PcaSvc"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5692
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k LocalService -s w32time
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Boot or Logon Autostart Execution: Time Providers
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2468
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k LocalService -s w32time
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Boot or Logon Autostart Execution: Time Providers
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3300
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\vdsldr.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3468
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\vds.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\System32\vds.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: LoadsDriver
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2936
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2472
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5212

                                                                                                                                                                                                                                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      6cf293cb4d80be23433eecf74ddb5503

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      24fe4752df102c2ef492954d6b046cb5512ad408

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      152B

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      d22073dea53e79d9b824f27ac5e9813e

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      6d8a7281241248431a1571e6ddc55798b01fa961

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      152B

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      bffcefacce25cd03f3d5c9446ddb903d

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      8923f84aa86db316d2f5c122fe3874bbe26f3bab

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      384B

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      93d8e029ef835d2c269bd33a86e69666

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      cc538cb99fe790585bbd17e1273c4f48f5f18a46

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      c7c1ce4fac0f6116d86ab9f9591cb6c1cbe1309dbc805a33264b7a5ae2e4d46f

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      f1b0400ba019667ffbd0d6c7686596ef55b0dea13a7a56416b2f4d86e42711491b57c262cd17ac21221717711550941ee6d83eff60a5c436894687872868bb35

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      9b7ef9a6d82040fdcb30bba19b2de376

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      623c662af6ef50745d59bf26bc92318e2a044131

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      f32ad04a559408de2679f35a62218fe7fa8feac9f395e09552162bed4bfaf9c7

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      88eb1e5b7611c6eeb9ab92fc0fcf6377093fa5a0aa4255c1e1cdd7b30df2cfaddff7e90015220e6cb267c743ea69a476781e2580386da815d3a215f11cc6a588

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      5KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      9953d654ed3e85db83be60baf2408a6a

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      f86800d98a722eb75e4b1fd22d4515358fa91f7b

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      9e4f359e57307989e80c349e200f8fc46de74f861f634b276d29543a60055aa0

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      85ed92a581ee7ecb42ed96505aa52a18d25366fdcafbf7163bd09492eca1e86f327b2f3f5b23fd85fc9aac890c7b0c419a2992499bdd222d8abc37907ed74845

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      7KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      264e57e0b2c43a86a61304040896c301

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      cba68bf4cf3c3e0df03df3afabef9b9fefc37269

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      0d7e83b33ef776c738916706b73481cb32019f17df9fc8dcb44ba6f5f82e1784

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      01dec32265f2d26ac85f02ba913ef7b19d4acb4ddbefabb76d608cdfccc06cadfd9722ed88168abf5033d16e9af1883d2f8db9a3030374de0f1a8d6a4ce23338

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      16B

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      6752a1d65b201c13b62ea44016eb221f

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      11KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      986a1b505bb80c782464806b16a7afcc

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      b18bb8cb9641c856736829e686427992d1d62510

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      fbdc4eed0bd2bc9c756cc2218f81f167a2ce928bc5dd04e083d622c5242a9e37

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      564dbe3bd1de407e0d35df302cdb289742ef0aa58e76b7e337d8b99e597d38b257f31284dc8d04204efc5101ab00a96b18a9ed6750868cf23952830caa6469db

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      276798eeb29a49dc6e199768bc9c2e71

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      1020B

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      45fccfe6c54ad093cc09323df85e8a90

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      6f86ab530874edae4534163a0fc472e5f880303d

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      c3a2742bf5751d2a38757ae6cc44a4573c371e8ca5d8545360cc8f662d640560

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      03a2d29ffcc7bab0a54aa20624bd2420a4b3a28ea788171443611f43500be67a4574dfbc2497458fdc807ecf8e45c40e80eb3e7365d86c6b0b41f11da17287f7

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      cf0d0678f87066e4e91c88dff6d15abd

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      28ead060c26359338039882cd1cdb4cb019c05fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      06333424b3c24a937ed37963e2f70ac8511237d57ac65e62e5c04b7e0060f25b

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      7c0070a3f4efa2f0ef9767ac26f951503d5ac3883a5023a3fd7db9e77c427ba6c533950851e0a145c9736b3d13da0b42e9ad798fe517971b4525718923563966

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      64B

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      446dd1cf97eaba21cf14d03aebc79f27

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      36e4cc7367e0c7b40f4a8ace272941ea46373799

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nov3gd20.yox.ps1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      60B

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\Recovery\ReAgent.xml

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                      bdefeb1aa8afa75e36bcc68613412e75

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                      68d92774e5695971aea5acc61a74c62dbb43efab

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                      c5c3e183e13c2dc76eee80639bfdecc0ec64f0bae1b3b94561e037a52c989046

                                                                                                                                                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                      5b15c1e47305f19cc6659e026e67da1c9a649784c7f21a6f20f42442669d346fa7ad52d95e579fea83389b1214ab21c4be940ba93335be5b10063580bd1ab94c

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-232-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-877-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-144-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-1235-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-0-0x00007FFD858F0000-0x00007FFD858F2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-1174-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-1113-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-1032-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-961-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-4-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-355-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-5-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-3-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-456-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-2-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-537-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-635-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-704-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-778-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-54-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/876-1-0x0000000140000000-0x000000014325E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      50.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1628-14-0x00000207EF240000-0x00000207EF262000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1628-18-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1628-7-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1628-6-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      2.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1628-21-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                      2.0MB