Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 14:37
Behavioral task
behavioral1
Sample
0kZvTYku.exe
Resource
win10v2004-20241007-en
General
-
Target
0kZvTYku.exe
-
Size
27.9MB
-
MD5
34e055a67b10a1a14994b6b3457698e2
-
SHA1
6b299dca56f55a0656b23fd035f4353dc049343a
-
SHA256
01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
-
SHA512
8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
-
SSDEEP
786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3
Malware Config
Signatures
-
Deletes NTFS Change Journal 2 TTPs 24 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Processes:
fsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exepid Process 1428 fsutil.exe 692 fsutil.exe 372 fsutil.exe 1200 fsutil.exe 4920 fsutil.exe 396 fsutil.exe 3492 fsutil.exe 2564 fsutil.exe 1920 fsutil.exe 4060 fsutil.exe 904 fsutil.exe 3128 fsutil.exe 2468 fsutil.exe 1796 fsutil.exe 1948 fsutil.exe 1988 fsutil.exe 4616 fsutil.exe 1360 fsutil.exe 2208 fsutil.exe 1236 fsutil.exe 4212 fsutil.exe 884 fsutil.exe 2224 fsutil.exe 3028 fsutil.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
0kZvTYku.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0kZvTYku.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
w32tm.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL" w32tm.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0kZvTYku.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0kZvTYku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0kZvTYku.exe -
Processes:
resource yara_rule behavioral1/memory/2544-1-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/2544-2-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/2544-3-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/2544-4-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/2544-5-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/2544-64-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/2544-122-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/2544-176-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral1/memory/2544-322-0x0000000140000000-0x000000014325E000-memory.dmp themida -
Processes:
0kZvTYku.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0kZvTYku.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exefsutil.exedescription ioc Process File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
0kZvTYku.exepid Process 2544 0kZvTYku.exe -
Boot or Logon Autostart Execution: Time Providers 1 TTPs 33 IoCs
The Windows Time service (W32Time) enables time synchronization across and within domains.
Processes:
w32tm.exesvchost.exesvchost.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\Enabled = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxHostEntries = "4" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainLoggingRate = "30" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "32768" w32tm.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000 w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainEntryTimeout = "16" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SignatureAuthAllowed = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxEntries = "128" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\Enabled = "0" w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\InputProvider = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648" w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\InputProvider = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainDisable = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\EventLogFlags = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\RequireSecureTimeSyncRequests = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1" w32tm.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 740069006d0065002e00770069006e0064006f00770073002e0063006f006d002c003700660038006600660065006500000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 740069006d0065002e00770069006e0064006f00770073002e0063006f006d002c003700660038006600660065006500000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\EventLogFlags = "0" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL" w32tm.exe -
Drops file in Windows directory 64 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf powershell.exe File opened for modification C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf powershell.exe File opened for modification C:\Windows\Prefetch\AgRobust.db powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7BB97BF6.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-DB926CB0.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-FDF50724.pf powershell.exe File opened for modification C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf powershell.exe File opened for modification C:\Windows\Prefetch\DISM.EXE-DE199F71.pf powershell.exe File opened for modification C:\Windows\Prefetch\PfPre_285df1c2.mkd powershell.exe File opened for modification C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-EC979AE0.pf powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-7CFEDEA3.pf powershell.exe File opened for modification C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf powershell.exe File opened for modification C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf powershell.exe File opened for modification C:\Windows\Prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-18665B15.pf powershell.exe File opened for modification C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-C49E779A.pf powershell.exe File opened for modification C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf powershell.exe File opened for modification C:\Windows\Prefetch\ResPriHMStaticDb.ebd powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf powershell.exe File opened for modification C:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98C67737.pf powershell.exe File opened for modification C:\Windows\Prefetch\NGEN.EXE-AE594A6B.pf powershell.exe File opened for modification C:\Windows\Prefetch\SGRMBROKER.EXE-0CA31CC6.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-B2C296EF.pf powershell.exe File opened for modification C:\Windows\Prefetch\SEARCHAPP.EXE-0651CA85.pf powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-8102A33C.pf powershell.exe File opened for modification C:\Windows\Prefetch\PfSvPerfStats.bin powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf powershell.exe File opened for modification C:\Windows\Prefetch\DISMHOST.EXE-1B661FD1.pf powershell.exe File opened for modification C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf powershell.exe File opened for modification C:\Windows\Prefetch\ONEDRIVESETUP.EXE-ADFC0EFD.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf powershell.exe File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-504C779A.pf powershell.exe File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf powershell.exe File opened for modification C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-2C52326A.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-373C0EED.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-6F2A95AF.pf powershell.exe File opened for modification C:\Windows\Prefetch\SRTASKS.EXE-4F77756F.pf powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-4BA0E729.pf powershell.exe File opened for modification C:\Windows\Prefetch\FILESYNCCONFIG.EXE-CB60E6FA.pf powershell.exe File opened for modification C:\Windows\Prefetch\ONEDRIVE.EXE-96969DDA.pf powershell.exe File opened for modification C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-4DC9A20E.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-AED2006F.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf powershell.exe File opened for modification C:\Windows\Prefetch\SHELLEXPERIENCEHOST.EXE-A3608B1E.pf powershell.exe File opened for modification C:\Windows\Prefetch\TEXTINPUTHOST.EXE-4AE33179.pf powershell.exe File opened for modification C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-976DB280.pf powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-32DA767E.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf powershell.exe File opened for modification C:\Windows\Prefetch\FSQUIRT.EXE-BBD9646E.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98F22970.pf powershell.exe File opened for modification C:\Windows\Prefetch\XQT5SK.EXE-E97A7100.pf powershell.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\Trace1.fx powershell.exe File opened for modification C:\Windows\Prefetch\ReadyBoot powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-4EFE6110.pf powershell.exe File opened for modification C:\Windows\Prefetch\AgGlFaultHistory.db powershell.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 24 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 3944 powershell.exe 1444 powershell.exe 3008 powershell.exe 2672 powershell.exe 4420 powershell.exe 3944 powershell.exe 2124 powershell.exe 4004 powershell.exe 436 powershell.exe 988 powershell.exe 2676 powershell.exe 2656 powershell.exe 4616 powershell.exe 1236 powershell.exe 4920 powershell.exe 1404 powershell.exe 1580 powershell.exe 1428 powershell.exe 4596 powershell.exe 1876 powershell.exe 3500 powershell.exe 2980 powershell.exe 1520 powershell.exe 1272 powershell.exe -
Launches sc.exe 48 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid Process 3536 sc.exe 1412 sc.exe 1764 sc.exe 2804 sc.exe 3868 sc.exe 4188 sc.exe 3496 sc.exe 3932 sc.exe 2056 sc.exe 2112 sc.exe 4168 sc.exe 3540 sc.exe 3312 sc.exe 440 sc.exe 316 sc.exe 4420 sc.exe 552 sc.exe 1580 sc.exe 692 sc.exe 3904 sc.exe 3648 sc.exe 1172 sc.exe 400 sc.exe 1784 sc.exe 828 sc.exe 3720 sc.exe 2804 sc.exe 900 sc.exe 4760 sc.exe 1080 sc.exe 5032 sc.exe 4612 sc.exe 4756 sc.exe 4248 sc.exe 1264 sc.exe 780 sc.exe 3092 sc.exe 1328 sc.exe 444 sc.exe 4444 sc.exe 4284 sc.exe 1552 sc.exe 4404 sc.exe 2024 sc.exe 1224 sc.exe 3448 sc.exe 1360 sc.exe 1840 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepid Process 1244 powershell.exe 4912 powershell.exe 1084 powershell.exe -
System Time Discovery 1 TTPs 6 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
Processes:
net.exenet1.exenet.exenet1.exenet.exenet1.exepid Process 1704 net.exe 3128 net1.exe 3232 net.exe 3720 net1.exe 3100 net.exe 1508 net1.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 520 timeout.exe -
Modifies registry class 1 IoCs
Processes:
0kZvTYku.exedescription ioc Process Key deleted \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE 0kZvTYku.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4248 powershell.exe 4248 powershell.exe 1084 powershell.exe 1084 powershell.exe 4912 powershell.exe 4912 powershell.exe 1244 powershell.exe 1244 powershell.exe 4912 powershell.exe 1084 powershell.exe 1244 powershell.exe 2980 powershell.exe 2980 powershell.exe 2980 powershell.exe 988 powershell.exe 988 powershell.exe 988 powershell.exe 1520 powershell.exe 1520 powershell.exe 1520 powershell.exe 2676 powershell.exe 2676 powershell.exe 1404 powershell.exe 1404 powershell.exe 1236 powershell.exe 1236 powershell.exe 4920 powershell.exe 4920 powershell.exe 1444 powershell.exe 1444 powershell.exe 2672 powershell.exe 2672 powershell.exe 4420 powershell.exe 4420 powershell.exe 1580 powershell.exe 1580 powershell.exe 3008 powershell.exe 3008 powershell.exe 3944 powershell.exe 3944 powershell.exe 1428 powershell.exe 1428 powershell.exe 2124 powershell.exe 2124 powershell.exe 3944 powershell.exe 3944 powershell.exe 4596 powershell.exe 4596 powershell.exe 1876 powershell.exe 1876 powershell.exe 3500 powershell.exe 3500 powershell.exe 4004 powershell.exe 4004 powershell.exe 1272 powershell.exe 1272 powershell.exe 4616 powershell.exe 4616 powershell.exe 436 powershell.exe 436 powershell.exe 2656 powershell.exe 2656 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exesvchost.exewmic.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 4248 powershell.exe Token: SeSystemtimePrivilege 4188 svchost.exe Token: SeSystemtimePrivilege 4188 svchost.exe Token: SeIncBasePriorityPrivilege 4188 svchost.exe Token: SeIncreaseQuotaPrivilege 4860 wmic.exe Token: SeSecurityPrivilege 4860 wmic.exe Token: SeTakeOwnershipPrivilege 4860 wmic.exe Token: SeLoadDriverPrivilege 4860 wmic.exe Token: SeSystemProfilePrivilege 4860 wmic.exe Token: SeSystemtimePrivilege 4860 wmic.exe Token: SeProfSingleProcessPrivilege 4860 wmic.exe Token: SeIncBasePriorityPrivilege 4860 wmic.exe Token: SeCreatePagefilePrivilege 4860 wmic.exe Token: SeBackupPrivilege 4860 wmic.exe Token: SeRestorePrivilege 4860 wmic.exe Token: SeShutdownPrivilege 4860 wmic.exe Token: SeDebugPrivilege 4860 wmic.exe Token: SeSystemEnvironmentPrivilege 4860 wmic.exe Token: SeRemoteShutdownPrivilege 4860 wmic.exe Token: SeUndockPrivilege 4860 wmic.exe Token: SeManageVolumePrivilege 4860 wmic.exe Token: 33 4860 wmic.exe Token: 34 4860 wmic.exe Token: 35 4860 wmic.exe Token: 36 4860 wmic.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeDebugPrivilege 1244 powershell.exe Token: SeIncreaseQuotaPrivilege 4860 wmic.exe Token: SeSecurityPrivilege 4860 wmic.exe Token: SeTakeOwnershipPrivilege 4860 wmic.exe Token: SeLoadDriverPrivilege 4860 wmic.exe Token: SeSystemProfilePrivilege 4860 wmic.exe Token: SeSystemtimePrivilege 4860 wmic.exe Token: SeProfSingleProcessPrivilege 4860 wmic.exe Token: SeIncBasePriorityPrivilege 4860 wmic.exe Token: SeCreatePagefilePrivilege 4860 wmic.exe Token: SeBackupPrivilege 4860 wmic.exe Token: SeRestorePrivilege 4860 wmic.exe Token: SeShutdownPrivilege 4860 wmic.exe Token: SeDebugPrivilege 4860 wmic.exe Token: SeSystemEnvironmentPrivilege 4860 wmic.exe Token: SeRemoteShutdownPrivilege 4860 wmic.exe Token: SeUndockPrivilege 4860 wmic.exe Token: SeManageVolumePrivilege 4860 wmic.exe Token: 33 4860 wmic.exe Token: 34 4860 wmic.exe Token: 35 4860 wmic.exe Token: 36 4860 wmic.exe Token: SeSystemEnvironmentPrivilege 4912 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 988 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeSystemtimePrivilege 4188 svchost.exe Token: SeSystemtimePrivilege 3068 svchost.exe Token: SeSystemtimePrivilege 3068 svchost.exe Token: SeIncBasePriorityPrivilege 3068 svchost.exe Token: SeSystemtimePrivilege 3068 svchost.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 1236 powershell.exe Token: SeDebugPrivilege 4920 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
0kZvTYku.exepid Process 2544 0kZvTYku.exe 2544 0kZvTYku.exe 2544 0kZvTYku.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0kZvTYku.exenet.exenet.exenet.exedescription pid Process procid_target PID 2544 wrote to memory of 4248 2544 0kZvTYku.exe 89 PID 2544 wrote to memory of 4248 2544 0kZvTYku.exe 89 PID 2544 wrote to memory of 3232 2544 0kZvTYku.exe 125 PID 2544 wrote to memory of 3232 2544 0kZvTYku.exe 125 PID 3232 wrote to memory of 3720 3232 net.exe 95 PID 3232 wrote to memory of 3720 3232 net.exe 95 PID 2544 wrote to memory of 1428 2544 0kZvTYku.exe 96 PID 2544 wrote to memory of 1428 2544 0kZvTYku.exe 96 PID 2544 wrote to memory of 2040 2544 0kZvTYku.exe 98 PID 2544 wrote to memory of 2040 2544 0kZvTYku.exe 98 PID 2544 wrote to memory of 3100 2544 0kZvTYku.exe 100 PID 2544 wrote to memory of 3100 2544 0kZvTYku.exe 100 PID 3100 wrote to memory of 1508 3100 net.exe 102 PID 3100 wrote to memory of 1508 3100 net.exe 102 PID 2544 wrote to memory of 4860 2544 0kZvTYku.exe 145 PID 2544 wrote to memory of 4860 2544 0kZvTYku.exe 145 PID 2544 wrote to memory of 1084 2544 0kZvTYku.exe 105 PID 2544 wrote to memory of 1084 2544 0kZvTYku.exe 105 PID 2544 wrote to memory of 4912 2544 0kZvTYku.exe 106 PID 2544 wrote to memory of 4912 2544 0kZvTYku.exe 106 PID 2544 wrote to memory of 1244 2544 0kZvTYku.exe 107 PID 2544 wrote to memory of 1244 2544 0kZvTYku.exe 107 PID 2544 wrote to memory of 2944 2544 0kZvTYku.exe 139 PID 2544 wrote to memory of 2944 2544 0kZvTYku.exe 139 PID 2544 wrote to memory of 4428 2544 0kZvTYku.exe 115 PID 2544 wrote to memory of 4428 2544 0kZvTYku.exe 115 PID 2544 wrote to memory of 2024 2544 0kZvTYku.exe 117 PID 2544 wrote to memory of 2024 2544 0kZvTYku.exe 117 PID 2544 wrote to memory of 3648 2544 0kZvTYku.exe 119 PID 2544 wrote to memory of 3648 2544 0kZvTYku.exe 119 PID 2544 wrote to memory of 2980 2544 0kZvTYku.exe 121 PID 2544 wrote to memory of 2980 2544 0kZvTYku.exe 121 PID 2544 wrote to memory of 988 2544 0kZvTYku.exe 124 PID 2544 wrote to memory of 988 2544 0kZvTYku.exe 124 PID 2544 wrote to memory of 1704 2544 0kZvTYku.exe 127 PID 2544 wrote to memory of 1704 2544 0kZvTYku.exe 127 PID 1704 wrote to memory of 3128 1704 net.exe 129 PID 1704 wrote to memory of 3128 1704 net.exe 129 PID 2544 wrote to memory of 1520 2544 0kZvTYku.exe 130 PID 2544 wrote to memory of 1520 2544 0kZvTYku.exe 130 PID 2544 wrote to memory of 3492 2544 0kZvTYku.exe 132 PID 2544 wrote to memory of 3492 2544 0kZvTYku.exe 132 PID 2544 wrote to memory of 1988 2544 0kZvTYku.exe 134 PID 2544 wrote to memory of 1988 2544 0kZvTYku.exe 134 PID 2544 wrote to memory of 4616 2544 0kZvTYku.exe 136 PID 2544 wrote to memory of 4616 2544 0kZvTYku.exe 136 PID 2544 wrote to memory of 1172 2544 0kZvTYku.exe 138 PID 2544 wrote to memory of 1172 2544 0kZvTYku.exe 138 PID 2544 wrote to memory of 400 2544 0kZvTYku.exe 140 PID 2544 wrote to memory of 400 2544 0kZvTYku.exe 140 PID 2544 wrote to memory of 3536 2544 0kZvTYku.exe 142 PID 2544 wrote to memory of 3536 2544 0kZvTYku.exe 142 PID 2544 wrote to memory of 3092 2544 0kZvTYku.exe 144 PID 2544 wrote to memory of 3092 2544 0kZvTYku.exe 144 PID 2544 wrote to memory of 5000 2544 0kZvTYku.exe 148 PID 2544 wrote to memory of 5000 2544 0kZvTYku.exe 148 PID 2544 wrote to memory of 1328 2544 0kZvTYku.exe 150 PID 2544 wrote to memory of 1328 2544 0kZvTYku.exe 150 PID 2544 wrote to memory of 1412 2544 0kZvTYku.exe 152 PID 2544 wrote to memory of 1412 2544 0kZvTYku.exe 152 PID 2544 wrote to memory of 2676 2544 0kZvTYku.exe 154 PID 2544 wrote to memory of 2676 2544 0kZvTYku.exe 154 PID 2544 wrote to memory of 1404 2544 0kZvTYku.exe 156 PID 2544 wrote to memory of 1404 2544 0kZvTYku.exe 156
Processes
-
C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe"C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe.bak' -force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
C:\Windows\SYSTEM32\net.exenet stop w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop w32time3⤵
- System Time Discovery
PID:3720
-
-
-
C:\Windows\SYSTEM32\w32tm.exew32tm /unregister2⤵PID:1428
-
-
C:\Windows\SYSTEM32\w32tm.exew32tm /register2⤵
- Server Software Component: Terminal Services DLL
- Boot or Logon Autostart Execution: Time Providers
PID:2040
-
-
C:\Windows\SYSTEM32\net.exenet start w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start w32time3⤵
- System Time Discovery
PID:1508
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get VirtualizationFirmwareEnabled2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "$env:firmware_type"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "confirm-securebootuefi"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:2944
-
-
C:\Windows\SYSTEM32\w32tm.exew32tm /resync /force2⤵PID:4428
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:2024
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:3648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Drops file in Windows directory
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3232
-
-
-
C:\Windows\SYSTEM32\net.exenet stop w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop w32time3⤵
- System Time Discovery
PID:3128
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:3492
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1988
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:4616
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:1172 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2944
-
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:400
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:3536
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:3092 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4860
-
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5000
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:1328
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:1412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:2564
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:4212
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1920
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:1224
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:2804
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:4420
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:3496
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:4072
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:3448
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:3932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:4060
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1428
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:904
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:1764
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:900
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:4760
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:1080
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:2564
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:5032
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:4420
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:3648
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1580
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:4612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:3944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:692
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:3128
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2124
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:1840
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:3868
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:444
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:2468
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:4756
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1360
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:2224
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:2056
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:3720 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1580
-
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:4444
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:4168
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:2360
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:4248
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:3944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1876
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:4088
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:1796
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:3540
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:372
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:4284
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:3500
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:3312
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:1580
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:4188
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:1784
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4248
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:4004
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:692
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:4616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:436
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:1200
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:2208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2656
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1948
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:1552
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:4404
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:3904
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:1264
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:4920
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1236
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:396
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:828
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:440
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:316
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:780
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C timeout /t 1 /nobreak > nul & del "C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe"2⤵PID:2348
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak3⤵
- Delays execution with timeout.exe
PID:520
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s w32time1⤵
- Boot or Logon Autostart Execution: Time Providers
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s w32time1⤵
- Boot or Logon Autostart Execution: Time Providers
- Suspicious use of AdjustPrivilegeToken
PID:3068
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Time Providers
1Create or Modify System Process
1Windows Service
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Time Providers
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Ignore Process Interrupts
1Impair Defenses
1Indicator Removal
1File Deletion
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD588be3bc8a7f90e3953298c0fdbec4d72
SHA1f4969784ad421cc80ef45608727aacd0f6bf2e4b
SHA256533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a
SHA5124fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c
-
Filesize
1020B
MD53327a28128022a8114478f792a363012
SHA1b47d3313c8951f8b7fd26d5707740dcf5021ec18
SHA256b51041d595ae09530d03304466e9927f740884ec0882257035cbce6181a701c8
SHA512aa2f350bf180016b3dd9b54dd0d69547709bb20bc60adf3ff8ce85a2944c95b263dc01dff94ffc3da120e70cc7db396bbfbc408a5d6d270ae515bdea8fac4267
-
Filesize
64B
MD53e2631323bdbc388d1fca634746db42f
SHA1778174e49028290c1bf30ef4518019381e53706d
SHA25648ba4fa73c48c539683eab69f82fe11b2d317b153c27ebd4e6ad4be14e4879d9
SHA51205d7ae92ee999f9697883a425fff3ddf10ce57ea88def7ea73d98261c9d0c0e6e5bb119c1e26feee4d4b08c42a1dc80e6dd732825d0d66704ad5a8fb3aedc912
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82