Malware Analysis Report

2025-01-22 20:18

Sample ID 241020-a2swps1bkm
Target 0BzMzlmT.exe
SHA256 01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
Tags
bootkit defense_evasion discovery evasion execution persistence ransomware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09

Threat Level: Known bad

The file 0BzMzlmT.exe was found to be: Known bad.

Malicious Activity Summary

bootkit defense_evasion discovery evasion execution persistence ransomware themida trojan

Deletes NTFS Change Journal

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Server Software Component: Terminal Services DLL

Checks BIOS information in registry

Themida packer

Enumerates connected drives

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Indicator Removal: File Deletion

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Hide Artifacts: Ignore Process Interrupts

Launches sc.exe

Boot or Logon Autostart Execution: Time Providers

Drops file in Windows directory

Unsigned PE

System Time Discovery

Browser Information Discovery

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Runs net.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 00:42

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 00:42

Reported

2024-10-20 00:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe"

Signatures

Deletes NTFS Change Journal

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\fsutil.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL" C:\Windows\SYSTEM32\w32tm.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\D: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\MBR2GPT.EXE N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A
File opened (read-only) \??\F: C:\Windows\SYSTEM32\fsutil.exe N/A

Indicator Removal: File Deletion

defense_evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\system32\MBR2GPT.EXE N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\System32\vds.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Recovery\ReAgent.xml C:\Windows\system32\ReAgentc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A

Boot or Logon Autostart Execution: Time Providers

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\EventLogFlags = "1" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SignatureAuthAllowed = "1" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 740069006d0065002e00770069006e0064006f00770073002e0063006f006d002c003700660038006200300035006100000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\RequireSecureTimeSyncRequests = "0" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000 C:\Windows\SYSTEM32\w32tm.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer C:\Windows\SYSTEM32\w32tm.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\InputProvider = "1" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\EventLogFlags = "0" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainEntryTimeout = "16" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxEntries = "128" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL" C:\Windows\SYSTEM32\w32tm.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainDisable = "0" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxHostEntries = "4" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\Enabled = "1" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\InputProvider = "0" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "32768" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 740069006d0065002e00770069006e0064006f00770073002e0063006f006d002c003700660038006200300035006100000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainLoggingRate = "30" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1" C:\Windows\SYSTEM32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\Enabled = "0" C:\Windows\SYSTEM32\w32tm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Prefetch\SEARCHAPP.EXE-0651CA85.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\ReAgentc.exe N/A
File opened for modification C:\Windows\Prefetch\LINQWEBCONFIG.EXE-0FDCD1CB.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-32DA767E.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-894C9E34.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\ReadyBoot\ReadyBoot.etl C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-0A03C9B5.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-D2B15AE2.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-06226CEB.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-C49E779A.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\AgGlFaultHistory.db C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-C8D69DC6.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98F22970.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-C4B5739C.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log C:\Windows\system32\ReAgentc.exe N/A
File opened for modification C:\Windows\Prefetch\ONEDRIVESETUP.EXE-ADFC0EFD.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-373C0EED.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-C4317749.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\WFSERVICESREG.EXE-766D3C5B.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-3ED30A86.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-97BCF638.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-FF8EBD82.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-C5BE1C43.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\DISM.EXE-DE199F71.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\DISMHOST.EXE-711E3AC4.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7C77C512.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-E8196656.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\System32\vds.exe N/A
File opened for modification C:\Windows\Prefetch\HNAORH.EXE-CF16D900.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-28A8211F.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-FCAF5656.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\ReadyBoot\rblayout.xin C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\ReadyBoot\Trace2.fx C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\system32\ReAgentc.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-0C84305E.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-8102A33C.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\ReadyBoot\Trace1.fx C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\AgRobust.db C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\STARTMENUEXPERIENCEHOST.EXE-D80E778C.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-342BD74A.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Time Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net1.exe N/A
N/A N/A C:\Windows\SYSTEM32\net.exe N/A
N/A N/A C:\Windows\system32\net1.exe N/A
N/A N/A C:\Windows\SYSTEM32\net.exe N/A
N/A N/A C:\Windows\system32\net1.exe N/A
N/A N/A C:\Windows\SYSTEM32\net.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\vds.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache = a2a0d0ebe5b9334487c068b6b72699c70000000000000000 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d3480743f1500000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0f93a0000000000400600000000ffffffff000000002700010000d87c1df914d348000000000000b0f93a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\System32\vds.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34884601a450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\vds.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34807430c510000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0f93a0000000000400600000000ffffffff000000000c00010000d87c1df914d348000000000000b0f93a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\System32\vds.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\System32\vds.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\System32\vds.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\System32\vds.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\ReAgentc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 876 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\net.exe
PID 876 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\net.exe
PID 5044 wrote to memory of 4692 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 5044 wrote to memory of 4692 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 876 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\w32tm.exe
PID 876 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\w32tm.exe
PID 876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\w32tm.exe
PID 876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\w32tm.exe
PID 876 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\net.exe
PID 876 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\net.exe
PID 916 wrote to memory of 3164 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 916 wrote to memory of 3164 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 876 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\Wbem\wmic.exe
PID 876 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\Wbem\wmic.exe
PID 876 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\fsutil.exe
PID 876 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\fsutil.exe
PID 876 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\w32tm.exe
PID 876 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\w32tm.exe
PID 876 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\net.exe
PID 876 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\net.exe
PID 876 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 4064 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2872 wrote to memory of 4064 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 876 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\fsutil.exe
PID 876 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\fsutil.exe
PID 876 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\fsutil.exe
PID 876 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\fsutil.exe
PID 876 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\fsutil.exe
PID 876 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\fsutil.exe
PID 876 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\fsutil.exe
PID 876 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\fsutil.exe
PID 876 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\SYSTEM32\sc.exe
PID 876 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe

"C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe.bak' -force

C:\Windows\SYSTEM32\net.exe

net stop w32time

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop w32time

C:\Windows\SYSTEM32\w32tm.exe

w32tm /unregister

C:\Windows\SYSTEM32\w32tm.exe

w32tm /register

C:\Windows\SYSTEM32\net.exe

net start w32time

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start w32time

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -s w32time

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get VirtualizationFirmwareEnabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$env:firmware_type"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "confirm-securebootuefi"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\w32tm.exe

w32tm /resync /force

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\net.exe

net stop w32time

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop w32time

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -s w32time

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reagentc /enable

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\system32\ReAgentc.exe

reagentc /enable

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mbr2gpt /convert /allowFullOS

C:\Windows\system32\MBR2GPT.EXE

mbr2gpt /convert /allowFullOS

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.diskpart.com/features/convert-mbr-gpt.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd65c046f8,0x7ffd65c04708,0x7ffd65c04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

C:\Windows\SYSTEM32\sc.exe

sc config "PcaSvc" start=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d C:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d D:

C:\Windows\SYSTEM32\fsutil.exe

fsutil usn deletejournal /d F:

C:\Windows\SYSTEM32\sc.exe

sc stop "SysMain"

C:\Windows\SYSTEM32\sc.exe

sc config "SysMain" start=disabled

C:\Windows\SYSTEM32\sc.exe

sc stop "SuperFetch"

C:\Windows\SYSTEM32\sc.exe

sc config "SuperFetch" start=disabled

C:\Windows\SYSTEM32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SYSTEM32\sc.exe

sc stop "PcaSvc"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 ringcheats.com udp
GB 143.244.38.136:443 ringcheats.com tcp
US 8.8.8.8:53 136.38.244.143.in-addr.arpa udp
US 8.8.8.8:53 29.123.145.51.in-addr.arpa udp
N/A 127.0.0.1:57840 tcp
US 8.8.8.8:53 246.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 www.diskpart.com udp
US 104.26.3.23:443 www.diskpart.com tcp
US 8.8.8.8:53 cdn-node.diskpart.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 27.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 23.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 a.aomeisoftware.com udp
US 172.66.40.247:443 a.aomeisoftware.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
BE 74.125.206.154:443 stats.g.doubleclick.net tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
GB 142.250.180.3:443 www.google.co.uk tcp
US 8.8.8.8:53 73.79.16.104.in-addr.arpa udp
US 8.8.8.8:53 232.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 247.40.66.172.in-addr.arpa udp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
GB 142.250.180.3:443 www.google.co.uk tcp
GB 142.250.180.3:443 www.google.co.uk udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 8.8.8.8:53 154.206.125.74.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 2.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.200.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 216.239.34.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/876-0-0x00007FFD858F0000-0x00007FFD858F2000-memory.dmp

memory/876-1-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-2-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-3-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-5-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-4-0x0000000140000000-0x000000014325E000-memory.dmp

memory/1628-14-0x00000207EF240000-0x00000207EF262000-memory.dmp

memory/1628-18-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nov3gd20.yox.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1628-7-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

memory/1628-6-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

memory/1628-21-0x00007FFD85850000-0x00007FFD85A45000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 276798eeb29a49dc6e199768bc9c2e71
SHA1 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256 cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA512 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 45fccfe6c54ad093cc09323df85e8a90
SHA1 6f86ab530874edae4534163a0fc472e5f880303d
SHA256 c3a2742bf5751d2a38757ae6cc44a4573c371e8ca5d8545360cc8f662d640560
SHA512 03a2d29ffcc7bab0a54aa20624bd2420a4b3a28ea788171443611f43500be67a4574dfbc2497458fdc807ecf8e45c40e80eb3e7365d86c6b0b41f11da17287f7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cf0d0678f87066e4e91c88dff6d15abd
SHA1 28ead060c26359338039882cd1cdb4cb019c05fe
SHA256 06333424b3c24a937ed37963e2f70ac8511237d57ac65e62e5c04b7e0060f25b
SHA512 7c0070a3f4efa2f0ef9767ac26f951503d5ac3883a5023a3fd7db9e77c427ba6c533950851e0a145c9736b3d13da0b42e9ad798fe517971b4525718923563966

memory/876-54-0x0000000140000000-0x000000014325E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/876-144-0x0000000140000000-0x000000014325E000-memory.dmp

C:\Windows\System32\Recovery\ReAgent.xml

MD5 bdefeb1aa8afa75e36bcc68613412e75
SHA1 68d92774e5695971aea5acc61a74c62dbb43efab
SHA256 c5c3e183e13c2dc76eee80639bfdecc0ec64f0bae1b3b94561e037a52c989046
SHA512 5b15c1e47305f19cc6659e026e67da1c9a649784c7f21a6f20f42442669d346fa7ad52d95e579fea83389b1214ab21c4be940ba93335be5b10063580bd1ab94c

memory/876-232-0x0000000140000000-0x000000014325E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d22073dea53e79d9b824f27ac5e9813e
SHA1 6d8a7281241248431a1571e6ddc55798b01fa961
SHA256 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA512 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

\??\pipe\LOCAL\crashpad_2028_VRCYDOAGRRFUVCPL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bffcefacce25cd03f3d5c9446ddb903d
SHA1 8923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA256 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9953d654ed3e85db83be60baf2408a6a
SHA1 f86800d98a722eb75e4b1fd22d4515358fa91f7b
SHA256 9e4f359e57307989e80c349e200f8fc46de74f861f634b276d29543a60055aa0
SHA512 85ed92a581ee7ecb42ed96505aa52a18d25366fdcafbf7163bd09492eca1e86f327b2f3f5b23fd85fc9aac890c7b0c419a2992499bdd222d8abc37907ed74845

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/876-355-0x0000000140000000-0x000000014325E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 986a1b505bb80c782464806b16a7afcc
SHA1 b18bb8cb9641c856736829e686427992d1d62510
SHA256 fbdc4eed0bd2bc9c756cc2218f81f167a2ce928bc5dd04e083d622c5242a9e37
SHA512 564dbe3bd1de407e0d35df302cdb289742ef0aa58e76b7e337d8b99e597d38b257f31284dc8d04204efc5101ab00a96b18a9ed6750868cf23952830caa6469db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 264e57e0b2c43a86a61304040896c301
SHA1 cba68bf4cf3c3e0df03df3afabef9b9fefc37269
SHA256 0d7e83b33ef776c738916706b73481cb32019f17df9fc8dcb44ba6f5f82e1784
SHA512 01dec32265f2d26ac85f02ba913ef7b19d4acb4ddbefabb76d608cdfccc06cadfd9722ed88168abf5033d16e9af1883d2f8db9a3030374de0f1a8d6a4ce23338

memory/876-456-0x0000000140000000-0x000000014325E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 93d8e029ef835d2c269bd33a86e69666
SHA1 cc538cb99fe790585bbd17e1273c4f48f5f18a46
SHA256 c7c1ce4fac0f6116d86ab9f9591cb6c1cbe1309dbc805a33264b7a5ae2e4d46f
SHA512 f1b0400ba019667ffbd0d6c7686596ef55b0dea13a7a56416b2f4d86e42711491b57c262cd17ac21221717711550941ee6d83eff60a5c436894687872868bb35

memory/876-537-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-635-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-704-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-778-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-877-0x0000000140000000-0x000000014325E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9b7ef9a6d82040fdcb30bba19b2de376
SHA1 623c662af6ef50745d59bf26bc92318e2a044131
SHA256 f32ad04a559408de2679f35a62218fe7fa8feac9f395e09552162bed4bfaf9c7
SHA512 88eb1e5b7611c6eeb9ab92fc0fcf6377093fa5a0aa4255c1e1cdd7b30df2cfaddff7e90015220e6cb267c743ea69a476781e2580386da815d3a215f11cc6a588

memory/876-961-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-1032-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-1113-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-1174-0x0000000140000000-0x000000014325E000-memory.dmp

memory/876-1235-0x0000000140000000-0x000000014325E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 00:42

Reported

2024-10-20 00:46

Platform

win7-20240903-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\Parameters\ServiceDll = "C:\\Windows\\system32\\w32time.DLL" C:\Windows\system32\w32tm.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A

Indicator Removal: File Deletion

defense_evasion

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A

Boot or Logon Autostart Execution: Time Providers

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1" C:\Windows\system32\w32tm.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\system32\\w32time.DLL" C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "604800" C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\Enabled = "0" C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\Enabled = "1" C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7" C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648" C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\EventLogFlags = "0" C:\Windows\system32\w32tm.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\system32\\w32time.DLL" C:\Windows\system32\w32tm.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll" C:\Windows\system32\w32tm.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient C:\Windows\system32\w32tm.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1" C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1" C:\Windows\system32\w32tm.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\InputProvider = "1" C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2" C:\Windows\system32\w32tm.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000 C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpServer\InputProvider = "0" C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1" C:\Windows\system32\w32tm.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15" C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\EventLogFlags = "1" C:\Windows\system32\w32tm.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3" C:\Windows\system32\w32tm.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Time Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net1.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net1.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net1.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\net.exe
PID 3028 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\net.exe
PID 3028 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\net.exe
PID 2556 wrote to memory of 2580 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2556 wrote to memory of 2580 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2556 wrote to memory of 2580 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3028 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\w32tm.exe
PID 3028 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\w32tm.exe
PID 3028 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\w32tm.exe
PID 3028 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\w32tm.exe
PID 3028 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\w32tm.exe
PID 3028 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\w32tm.exe
PID 3028 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\net.exe
PID 3028 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\net.exe
PID 3028 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\net.exe
PID 3028 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\Wbem\wmic.exe
PID 3028 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\Wbem\wmic.exe
PID 3028 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\Wbem\wmic.exe
PID 3028 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 376 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2476 wrote to memory of 376 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2476 wrote to memory of 376 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3028 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\w32tm.exe
PID 3028 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\w32tm.exe
PID 3028 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\w32tm.exe
PID 3028 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\net.exe
PID 3028 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\net.exe
PID 3028 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\net.exe
PID 2860 wrote to memory of 1748 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2860 wrote to memory of 1748 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2860 wrote to memory of 1748 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3028 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\WerFault.exe
PID 3028 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\WerFault.exe
PID 3028 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe

"C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe.bak' -force

C:\Windows\system32\net.exe

net stop w32time

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop w32time

C:\Windows\system32\w32tm.exe

w32tm /unregister

C:\Windows\system32\w32tm.exe

w32tm /register

C:\Windows\system32\net.exe

net start w32time

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get VirtualizationFirmwareEnabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "confirm-securebootuefi"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start w32time

C:\Windows\system32\w32tm.exe

w32tm /resync /force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$env:firmware_type"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"

C:\Windows\system32\net.exe

net stop w32time

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop w32time

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3028 -s 856

Network

Country Destination Domain Proto
US 8.8.8.8:53 ringcheats.com udp
GB 143.244.38.136:443 ringcheats.com tcp
N/A 127.0.0.1:49223 tcp

Files

memory/3028-0-0x00000000773E0000-0x00000000773E2000-memory.dmp

memory/3028-1-0x0000000140000000-0x000000014325E000-memory.dmp

memory/3028-3-0x0000000140000000-0x000000014325E000-memory.dmp

memory/3028-2-0x0000000140000000-0x000000014325E000-memory.dmp

memory/3028-5-0x0000000140000000-0x000000014325E000-memory.dmp

memory/3028-4-0x0000000140000000-0x000000014325E000-memory.dmp

memory/2888-10-0x0000000077390000-0x0000000077539000-memory.dmp

memory/2888-11-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

memory/2888-12-0x00000000022C0000-0x00000000022C8000-memory.dmp

memory/2888-14-0x0000000077390000-0x0000000077539000-memory.dmp

memory/3028-13-0x0000000140000000-0x000000014325E000-memory.dmp

memory/3028-21-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2e67f962576bb2d759848e5a9049ad78
SHA1 1b9f514582432f318b4c861dadbd25b881bbdb4c
SHA256 3d8a2ca80738bd785f68869b468bfa6fd50359f0b92c59a5bb095c431394d32b
SHA512 62d81c3f29c507071c907611e891e29ef0182c3e267f7a9684ed6cde62cc106e95055e754c364b42928f8967bd83daca9aa8e472bc99d4dda171a23f525b0947

memory/2372-38-0x000000001B590000-0x000000001B872000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2372-43-0x0000000002960000-0x0000000002968000-memory.dmp

memory/3028-49-0x0000000140000000-0x000000014325E000-memory.dmp