Analysis

  • max time kernel
    146s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 14:37

General

  • Target

    0kZvTYku.exe

  • Size

    27.9MB

  • MD5

    34e055a67b10a1a14994b6b3457698e2

  • SHA1

    6b299dca56f55a0656b23fd035f4353dc049343a

  • SHA256

    01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09

  • SHA512

    8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218

  • SSDEEP

    786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3

Malware Config

Signatures

  • Deletes NTFS Change Journal 2 TTPs 24 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Stops running service(s) 4 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 16 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Boot or Logon Autostart Execution: Time Providers 1 TTPs 33 IoCs

    The Windows Time service (W32Time) enables time synchronization across and within domains.

  • Drops file in Windows directory 64 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 24 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Launches sc.exe 48 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • System Time Discovery 1 TTPs 6 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe
    "C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe.bak' -force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4248
    • C:\Windows\SYSTEM32\net.exe
      net stop w32time
      2⤵
      • System Time Discovery
      • Suspicious use of WriteProcessMemory
      PID:3232
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop w32time
        3⤵
        • System Time Discovery
        PID:3720
    • C:\Windows\SYSTEM32\w32tm.exe
      w32tm /unregister
      2⤵
        PID:1428
      • C:\Windows\SYSTEM32\w32tm.exe
        w32tm /register
        2⤵
        • Server Software Component: Terminal Services DLL
        • Boot or Logon Autostart Execution: Time Providers
        PID:2040
      • C:\Windows\SYSTEM32\net.exe
        net start w32time
        2⤵
        • System Time Discovery
        • Suspicious use of WriteProcessMemory
        PID:3100
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 start w32time
          3⤵
          • System Time Discovery
          PID:1508
      • C:\Windows\System32\Wbem\wmic.exe
        wmic cpu get VirtualizationFirmwareEnabled
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "$env:firmware_type"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1084
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "confirm-securebootuefi"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4912
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1244
      • C:\Windows\SYSTEM32\fsutil.exe
        fsutil behavior set disablelastaccess 1
        2⤵
          PID:2944
        • C:\Windows\SYSTEM32\w32tm.exe
          w32tm /resync /force
          2⤵
            PID:4428
          • C:\Windows\SYSTEM32\sc.exe
            sc stop "PcaSvc"
            2⤵
            • Launches sc.exe
            PID:2024
          • C:\Windows\SYSTEM32\sc.exe
            sc config "PcaSvc" start=disabled
            2⤵
            • Launches sc.exe
            PID:3648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
            2⤵
            • Drops file in Windows directory
            • Hide Artifacts: Ignore Process Interrupts
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
            2⤵
            • Hide Artifacts: Ignore Process Interrupts
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:988
            • C:\Windows\System32\Conhost.exe
              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              3⤵
                PID:3232
            • C:\Windows\SYSTEM32\net.exe
              net stop w32time
              2⤵
              • System Time Discovery
              • Suspicious use of WriteProcessMemory
              PID:1704
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop w32time
                3⤵
                • System Time Discovery
                PID:3128
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
              2⤵
              • Hide Artifacts: Ignore Process Interrupts
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1520
            • C:\Windows\SYSTEM32\fsutil.exe
              fsutil usn deletejournal /d C:
              2⤵
              • Deletes NTFS Change Journal
              PID:3492
            • C:\Windows\SYSTEM32\fsutil.exe
              fsutil usn deletejournal /d D:
              2⤵
              • Deletes NTFS Change Journal
              • Enumerates connected drives
              PID:1988
            • C:\Windows\SYSTEM32\fsutil.exe
              fsutil usn deletejournal /d F:
              2⤵
              • Deletes NTFS Change Journal
              • Enumerates connected drives
              PID:4616
            • C:\Windows\SYSTEM32\sc.exe
              sc stop "SysMain"
              2⤵
              • Launches sc.exe
              PID:1172
              • C:\Windows\System32\Conhost.exe
                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                3⤵
                  PID:2944
              • C:\Windows\SYSTEM32\sc.exe
                sc config "SysMain" start=disabled
                2⤵
                • Launches sc.exe
                PID:400
              • C:\Windows\SYSTEM32\sc.exe
                sc stop "SuperFetch"
                2⤵
                • Launches sc.exe
                PID:3536
              • C:\Windows\SYSTEM32\sc.exe
                sc config "SuperFetch" start=disabled
                2⤵
                • Launches sc.exe
                PID:3092
                • C:\Windows\System32\Conhost.exe
                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  3⤵
                    PID:4860
                • C:\Windows\SYSTEM32\fsutil.exe
                  fsutil behavior set disablelastaccess 1
                  2⤵
                    PID:5000
                  • C:\Windows\SYSTEM32\sc.exe
                    sc stop "PcaSvc"
                    2⤵
                    • Launches sc.exe
                    PID:1328
                  • C:\Windows\SYSTEM32\sc.exe
                    sc config "PcaSvc" start=disabled
                    2⤵
                    • Launches sc.exe
                    PID:1412
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                    2⤵
                    • Hide Artifacts: Ignore Process Interrupts
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2676
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                    2⤵
                    • Hide Artifacts: Ignore Process Interrupts
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1404
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                    2⤵
                    • Hide Artifacts: Ignore Process Interrupts
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1236
                  • C:\Windows\SYSTEM32\fsutil.exe
                    fsutil usn deletejournal /d C:
                    2⤵
                    • Deletes NTFS Change Journal
                    PID:2564
                  • C:\Windows\SYSTEM32\fsutil.exe
                    fsutil usn deletejournal /d D:
                    2⤵
                    • Deletes NTFS Change Journal
                    • Enumerates connected drives
                    PID:4212
                  • C:\Windows\SYSTEM32\fsutil.exe
                    fsutil usn deletejournal /d F:
                    2⤵
                    • Deletes NTFS Change Journal
                    • Enumerates connected drives
                    PID:1920
                  • C:\Windows\SYSTEM32\sc.exe
                    sc stop "SysMain"
                    2⤵
                    • Launches sc.exe
                    PID:1224
                  • C:\Windows\SYSTEM32\sc.exe
                    sc config "SysMain" start=disabled
                    2⤵
                    • Launches sc.exe
                    PID:2804
                  • C:\Windows\SYSTEM32\sc.exe
                    sc stop "SuperFetch"
                    2⤵
                    • Launches sc.exe
                    PID:4420
                  • C:\Windows\SYSTEM32\sc.exe
                    sc config "SuperFetch" start=disabled
                    2⤵
                    • Launches sc.exe
                    PID:3496
                  • C:\Windows\SYSTEM32\fsutil.exe
                    fsutil behavior set disablelastaccess 1
                    2⤵
                      PID:4072
                    • C:\Windows\SYSTEM32\sc.exe
                      sc stop "PcaSvc"
                      2⤵
                      • Launches sc.exe
                      PID:3448
                    • C:\Windows\SYSTEM32\sc.exe
                      sc config "PcaSvc" start=disabled
                      2⤵
                      • Launches sc.exe
                      PID:3932
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                      2⤵
                      • Hide Artifacts: Ignore Process Interrupts
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4920
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                      2⤵
                      • Hide Artifacts: Ignore Process Interrupts
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1444
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                      2⤵
                      • Hide Artifacts: Ignore Process Interrupts
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2672
                    • C:\Windows\SYSTEM32\fsutil.exe
                      fsutil usn deletejournal /d C:
                      2⤵
                      • Deletes NTFS Change Journal
                      PID:4060
                    • C:\Windows\SYSTEM32\fsutil.exe
                      fsutil usn deletejournal /d D:
                      2⤵
                      • Deletes NTFS Change Journal
                      • Enumerates connected drives
                      PID:1428
                    • C:\Windows\SYSTEM32\fsutil.exe
                      fsutil usn deletejournal /d F:
                      2⤵
                      • Deletes NTFS Change Journal
                      • Enumerates connected drives
                      PID:904
                    • C:\Windows\SYSTEM32\sc.exe
                      sc stop "SysMain"
                      2⤵
                      • Launches sc.exe
                      PID:1764
                    • C:\Windows\SYSTEM32\sc.exe
                      sc config "SysMain" start=disabled
                      2⤵
                      • Launches sc.exe
                      PID:900
                    • C:\Windows\SYSTEM32\sc.exe
                      sc stop "SuperFetch"
                      2⤵
                      • Launches sc.exe
                      PID:4760
                    • C:\Windows\SYSTEM32\sc.exe
                      sc config "SuperFetch" start=disabled
                      2⤵
                      • Launches sc.exe
                      PID:1080
                    • C:\Windows\SYSTEM32\fsutil.exe
                      fsutil behavior set disablelastaccess 1
                      2⤵
                        PID:2564
                      • C:\Windows\SYSTEM32\sc.exe
                        sc stop "PcaSvc"
                        2⤵
                        • Launches sc.exe
                        PID:5032
                      • C:\Windows\SYSTEM32\sc.exe
                        sc config "PcaSvc" start=disabled
                        2⤵
                        • Launches sc.exe
                        PID:2804
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                        2⤵
                        • Hide Artifacts: Ignore Process Interrupts
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4420
                      • C:\Windows\SYSTEM32\fsutil.exe
                        fsutil behavior set disablelastaccess 1
                        2⤵
                          PID:3648
                        • C:\Windows\SYSTEM32\sc.exe
                          sc stop "PcaSvc"
                          2⤵
                          • Launches sc.exe
                          PID:1360
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                          2⤵
                          • Hide Artifacts: Ignore Process Interrupts
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1580
                        • C:\Windows\SYSTEM32\sc.exe
                          sc config "PcaSvc" start=disabled
                          2⤵
                          • Launches sc.exe
                          PID:4612
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                          2⤵
                          • Hide Artifacts: Ignore Process Interrupts
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3008
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                          2⤵
                          • Hide Artifacts: Ignore Process Interrupts
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3944
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                          2⤵
                          • Hide Artifacts: Ignore Process Interrupts
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1428
                        • C:\Windows\SYSTEM32\fsutil.exe
                          fsutil usn deletejournal /d C:
                          2⤵
                          • Deletes NTFS Change Journal
                          PID:692
                        • C:\Windows\SYSTEM32\fsutil.exe
                          fsutil usn deletejournal /d D:
                          2⤵
                          • Deletes NTFS Change Journal
                          • Enumerates connected drives
                          PID:3128
                        • C:\Windows\SYSTEM32\fsutil.exe
                          fsutil usn deletejournal /d F:
                          2⤵
                          • Deletes NTFS Change Journal
                          • Enumerates connected drives
                          PID:884
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                          2⤵
                          • Hide Artifacts: Ignore Process Interrupts
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2124
                        • C:\Windows\SYSTEM32\sc.exe
                          sc stop "SysMain"
                          2⤵
                          • Launches sc.exe
                          PID:1840
                        • C:\Windows\SYSTEM32\sc.exe
                          sc config "SysMain" start=disabled
                          2⤵
                          • Launches sc.exe
                          PID:3868
                        • C:\Windows\SYSTEM32\sc.exe
                          sc stop "SuperFetch"
                          2⤵
                          • Launches sc.exe
                          PID:444
                        • C:\Windows\SYSTEM32\fsutil.exe
                          fsutil usn deletejournal /d C:
                          2⤵
                          • Deletes NTFS Change Journal
                          PID:2468
                        • C:\Windows\SYSTEM32\sc.exe
                          sc config "SuperFetch" start=disabled
                          2⤵
                          • Launches sc.exe
                          PID:4756
                        • C:\Windows\SYSTEM32\fsutil.exe
                          fsutil usn deletejournal /d D:
                          2⤵
                          • Deletes NTFS Change Journal
                          • Enumerates connected drives
                          PID:1360
                        • C:\Windows\SYSTEM32\fsutil.exe
                          fsutil usn deletejournal /d F:
                          2⤵
                          • Deletes NTFS Change Journal
                          • Enumerates connected drives
                          PID:2224
                        • C:\Windows\SYSTEM32\sc.exe
                          sc stop "SysMain"
                          2⤵
                          • Launches sc.exe
                          PID:2056
                        • C:\Windows\SYSTEM32\sc.exe
                          sc config "SysMain" start=disabled
                          2⤵
                          • Launches sc.exe
                          PID:3720
                          • C:\Windows\System32\Conhost.exe
                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            3⤵
                              PID:1580
                          • C:\Windows\SYSTEM32\sc.exe
                            sc stop "SuperFetch"
                            2⤵
                            • Launches sc.exe
                            PID:4444
                          • C:\Windows\SYSTEM32\sc.exe
                            sc config "SuperFetch" start=disabled
                            2⤵
                            • Launches sc.exe
                            PID:4168
                          • C:\Windows\SYSTEM32\fsutil.exe
                            fsutil behavior set disablelastaccess 1
                            2⤵
                              PID:2360
                            • C:\Windows\SYSTEM32\sc.exe
                              sc stop "PcaSvc"
                              2⤵
                              • Launches sc.exe
                              PID:4248
                            • C:\Windows\SYSTEM32\sc.exe
                              sc config "PcaSvc" start=disabled
                              2⤵
                              • Launches sc.exe
                              PID:552
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                              2⤵
                              • Hide Artifacts: Ignore Process Interrupts
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3944
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                              2⤵
                              • Hide Artifacts: Ignore Process Interrupts
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4596
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                              2⤵
                              • Hide Artifacts: Ignore Process Interrupts
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1876
                            • C:\Windows\SYSTEM32\fsutil.exe
                              fsutil behavior set disablelastaccess 1
                              2⤵
                                PID:4088
                              • C:\Windows\SYSTEM32\fsutil.exe
                                fsutil usn deletejournal /d C:
                                2⤵
                                • Deletes NTFS Change Journal
                                PID:1796
                              • C:\Windows\SYSTEM32\sc.exe
                                sc stop "PcaSvc"
                                2⤵
                                • Launches sc.exe
                                PID:3540
                              • C:\Windows\SYSTEM32\fsutil.exe
                                fsutil usn deletejournal /d D:
                                2⤵
                                • Deletes NTFS Change Journal
                                • Enumerates connected drives
                                PID:372
                              • C:\Windows\SYSTEM32\sc.exe
                                sc config "PcaSvc" start=disabled
                                2⤵
                                • Launches sc.exe
                                PID:4284
                              • C:\Windows\SYSTEM32\fsutil.exe
                                fsutil usn deletejournal /d F:
                                2⤵
                                • Deletes NTFS Change Journal
                                • Enumerates connected drives
                                PID:3028
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                2⤵
                                • Hide Artifacts: Ignore Process Interrupts
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3500
                              • C:\Windows\SYSTEM32\sc.exe
                                sc stop "SysMain"
                                2⤵
                                • Launches sc.exe
                                PID:3312
                              • C:\Windows\SYSTEM32\sc.exe
                                sc config "SysMain" start=disabled
                                2⤵
                                • Launches sc.exe
                                PID:1580
                              • C:\Windows\SYSTEM32\sc.exe
                                sc stop "SuperFetch"
                                2⤵
                                • Launches sc.exe
                                PID:4188
                              • C:\Windows\SYSTEM32\sc.exe
                                sc config "SuperFetch" start=disabled
                                2⤵
                                • Launches sc.exe
                                PID:1784
                              • C:\Windows\SYSTEM32\fsutil.exe
                                fsutil behavior set disablelastaccess 1
                                2⤵
                                  PID:5112
                                  • C:\Windows\System32\Conhost.exe
                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    3⤵
                                      PID:4248
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                    2⤵
                                    • Hide Artifacts: Ignore Process Interrupts
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4004
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc stop "PcaSvc"
                                    2⤵
                                    • Launches sc.exe
                                    PID:692
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc config "PcaSvc" start=disabled
                                    2⤵
                                    • Launches sc.exe
                                    PID:2112
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                    2⤵
                                    • Hide Artifacts: Ignore Process Interrupts
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1272
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                    2⤵
                                    • Hide Artifacts: Ignore Process Interrupts
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4616
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                    2⤵
                                    • Hide Artifacts: Ignore Process Interrupts
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:436
                                  • C:\Windows\SYSTEM32\fsutil.exe
                                    fsutil usn deletejournal /d C:
                                    2⤵
                                    • Deletes NTFS Change Journal
                                    PID:1200
                                  • C:\Windows\SYSTEM32\fsutil.exe
                                    fsutil usn deletejournal /d D:
                                    2⤵
                                    • Deletes NTFS Change Journal
                                    • Enumerates connected drives
                                    PID:2208
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
                                    2⤵
                                    • Hide Artifacts: Ignore Process Interrupts
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:2656
                                  • C:\Windows\SYSTEM32\fsutil.exe
                                    fsutil usn deletejournal /d F:
                                    2⤵
                                    • Deletes NTFS Change Journal
                                    • Enumerates connected drives
                                    PID:1948
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc stop "SysMain"
                                    2⤵
                                    • Launches sc.exe
                                    PID:1552
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc config "SysMain" start=disabled
                                    2⤵
                                    • Launches sc.exe
                                    PID:4404
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc stop "SuperFetch"
                                    2⤵
                                    • Launches sc.exe
                                    PID:3904
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc config "SuperFetch" start=disabled
                                    2⤵
                                    • Launches sc.exe
                                    PID:1264
                                  • C:\Windows\SYSTEM32\fsutil.exe
                                    fsutil usn deletejournal /d C:
                                    2⤵
                                    • Deletes NTFS Change Journal
                                    PID:4920
                                  • C:\Windows\SYSTEM32\fsutil.exe
                                    fsutil usn deletejournal /d D:
                                    2⤵
                                    • Deletes NTFS Change Journal
                                    • Enumerates connected drives
                                    PID:1236
                                  • C:\Windows\SYSTEM32\fsutil.exe
                                    fsutil usn deletejournal /d F:
                                    2⤵
                                    • Deletes NTFS Change Journal
                                    • Enumerates connected drives
                                    PID:396
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc stop "SysMain"
                                    2⤵
                                    • Launches sc.exe
                                    PID:828
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc config "SysMain" start=disabled
                                    2⤵
                                    • Launches sc.exe
                                    PID:440
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc stop "SuperFetch"
                                    2⤵
                                    • Launches sc.exe
                                    PID:316
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc config "SuperFetch" start=disabled
                                    2⤵
                                    • Launches sc.exe
                                    PID:780
                                  • C:\Windows\SYSTEM32\cmd.exe
                                    cmd.exe /C timeout /t 1 /nobreak > nul & del "C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe"
                                    2⤵
                                      PID:2348
                                      • C:\Windows\system32\timeout.exe
                                        timeout /t 1 /nobreak
                                        3⤵
                                        • Delays execution with timeout.exe
                                        PID:520
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -s w32time
                                    1⤵
                                    • Boot or Logon Autostart Execution: Time Providers
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4188
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -s w32time
                                    1⤵
                                    • Boot or Logon Autostart Execution: Time Providers
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3068

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                    Filesize

                                    2KB

                                    MD5

                                    6cf293cb4d80be23433eecf74ddb5503

                                    SHA1

                                    24fe4752df102c2ef492954d6b046cb5512ad408

                                    SHA256

                                    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                                    SHA512

                                    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1KB

                                    MD5

                                    88be3bc8a7f90e3953298c0fdbec4d72

                                    SHA1

                                    f4969784ad421cc80ef45608727aacd0f6bf2e4b

                                    SHA256

                                    533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

                                    SHA512

                                    4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    1020B

                                    MD5

                                    3327a28128022a8114478f792a363012

                                    SHA1

                                    b47d3313c8951f8b7fd26d5707740dcf5021ec18

                                    SHA256

                                    b51041d595ae09530d03304466e9927f740884ec0882257035cbce6181a701c8

                                    SHA512

                                    aa2f350bf180016b3dd9b54dd0d69547709bb20bc60adf3ff8ce85a2944c95b263dc01dff94ffc3da120e70cc7db396bbfbc408a5d6d270ae515bdea8fac4267

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    64B

                                    MD5

                                    3e2631323bdbc388d1fca634746db42f

                                    SHA1

                                    778174e49028290c1bf30ef4518019381e53706d

                                    SHA256

                                    48ba4fa73c48c539683eab69f82fe11b2d317b153c27ebd4e6ad4be14e4879d9

                                    SHA512

                                    05d7ae92ee999f9697883a425fff3ddf10ce57ea88def7ea73d98261c9d0c0e6e5bb119c1e26feee4d4b08c42a1dc80e6dd732825d0d66704ad5a8fb3aedc912

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Filesize

                                    64B

                                    MD5

                                    446dd1cf97eaba21cf14d03aebc79f27

                                    SHA1

                                    36e4cc7367e0c7b40f4a8ace272941ea46373799

                                    SHA256

                                    a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                    SHA512

                                    a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5mkwsclp.dby.ps1

                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  • memory/2544-4-0x0000000140000000-0x000000014325E000-memory.dmp

                                    Filesize

                                    50.4MB

                                  • memory/2544-5-0x0000000140000000-0x000000014325E000-memory.dmp

                                    Filesize

                                    50.4MB

                                  • memory/2544-0-0x00007FF9C0270000-0x00007FF9C0272000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/2544-3-0x0000000140000000-0x000000014325E000-memory.dmp

                                    Filesize

                                    50.4MB

                                  • memory/2544-2-0x0000000140000000-0x000000014325E000-memory.dmp

                                    Filesize

                                    50.4MB

                                  • memory/2544-64-0x0000000140000000-0x000000014325E000-memory.dmp

                                    Filesize

                                    50.4MB

                                  • memory/2544-1-0x0000000140000000-0x000000014325E000-memory.dmp

                                    Filesize

                                    50.4MB

                                  • memory/2544-122-0x0000000140000000-0x000000014325E000-memory.dmp

                                    Filesize

                                    50.4MB

                                  • memory/2544-176-0x0000000140000000-0x000000014325E000-memory.dmp

                                    Filesize

                                    50.4MB

                                  • memory/2544-322-0x0000000140000000-0x000000014325E000-memory.dmp

                                    Filesize

                                    50.4MB

                                  • memory/4248-6-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

                                    Filesize

                                    2.0MB

                                  • memory/4248-12-0x0000026A1EA70000-0x0000026A1EA92000-memory.dmp

                                    Filesize

                                    136KB

                                  • memory/4248-19-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

                                    Filesize

                                    2.0MB