01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09

Analysis

max time kernel
21s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CD5j9fwc.exe
Size

27.9MB
MD5

34e055a67b10a1a14994b6b3457698e2
SHA1

6b299dca56f55a0656b23fd035f4353dc049343a
SHA256

01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
SHA512

8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
SSDEEP

786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3

Score

10^/10

defense_evasion discovery evasion execution persistence ransomware themida trojan

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 15 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
3896	fsutil.exe
2584	fsutil.exe
1852	fsutil.exe
1420	fsutil.exe
780	fsutil.exe
1932	fsutil.exe
2656	fsutil.exe
560	fsutil.exe
1420	fsutil.exe
1064	fsutil.exe
3196	fsutil.exe
868	fsutil.exe
3392	fsutil.exe
5040	fsutil.exe
944	fsutil.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CD5j9fwc.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CD5j9fwc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CD5j9fwc.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4308-1-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral2/memory/4308-2-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral2/memory/4308-3-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral2/memory/4308-4-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral2/memory/4308-5-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral2/memory/4308-89-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral2/memory/4308-146-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral2/memory/4308-295-0x0000000140000000-0x000000014325E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CD5j9fwc.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4308	CD5j9fwc.exe

Boot or Logon Autostart Execution: Time Providers 1 TTPs 33 IoCs

The Windows Time service (W32Time) enables time synchronization across and within domains.

persistence

Time Providers

T1547.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainDisable = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\RequireSecureTimeSyncRequests = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainEntryTimeout = "16"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SignatureAuthAllowed = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxEntries = "128"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\Enabled = "0"	w32tm.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 740069006d0065002e00770069006e0064006f00770073002e0063006f006d002c003700660039003100630030003300000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\InputProvider = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainLoggingRate = "30"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\EventLogFlags = "0"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "32768"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxHostEntries = "4"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\Enabled = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\EventLogFlags = "1"	w32tm.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 740069006d0065002e00770069006e0064006f00770073002e0063006f006d002c003700660039003100630030003300000000000000000000000000000000000000000000000000	svchost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-0FDCD1CB.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7C77C512.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E8196656.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-AE7DB802.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\rblayout.xin	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-01E21A55.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FFCC5BB3.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-5B70F332.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-C8D69DC6.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\STARTMENUEXPERIENCEHOST.EXE-D80E778C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTRANSFERHOST.EXE-CF5B50C1.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-6F2A95AF.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7E8D1C35.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7EF4A0DD.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FDF50724.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-7CFEDEA3.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-8102A33C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\APPLICATIONFRAMEHOST.EXE-CCEEF759.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0521102C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\Trace2.fx	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-C4317749.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1589E4C3.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-A73FB9CB.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-06226CEB.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-C4B5739C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-AED2006F.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\PfPre_eb61b35b.mkd	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-D9106866.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-E45D8788.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-F027B880.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-342BD74A.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SEARCHAPP.EXE-0651CA85.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\PfSvPerfStats.bin	powershell.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-ACEF2FA2.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-4EFE6110.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\AgRobust.db	powershell.exe
File opened for modification	C:\Windows\Prefetch\SRTASKS.EXE-4F77756F.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SHUTDOWN.EXE-E7D5C9CC.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-641DCE1C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-B2C296EF.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-EC979AE0.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0C84305E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7F337F0A.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-894C9E34.pf	powershell.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 15 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
1068	powershell.exe
4204	powershell.exe
1540	powershell.exe
3264	powershell.exe
2536	powershell.exe
4796	powershell.exe
2296	powershell.exe
3244	powershell.exe
1520	powershell.exe
3756	powershell.exe
4880	powershell.exe
912	powershell.exe
4108	powershell.exe
1064	powershell.exe
1380	powershell.exe

Launches sc.exe 30 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3692	sc.exe
860	sc.exe
4024	sc.exe
1008	sc.exe
764	sc.exe
392	sc.exe
548	sc.exe
2128	sc.exe
2112	sc.exe
4616	sc.exe
3808	sc.exe
2360	sc.exe
1748	sc.exe
2616	sc.exe
780	sc.exe
4868	sc.exe
5004	sc.exe
1632	sc.exe
2436	sc.exe
1984	sc.exe
3324	sc.exe
3808	sc.exe
1448	sc.exe
4600	sc.exe
4856	sc.exe
1380	sc.exe
4292	sc.exe
1060	sc.exe
864	sc.exe
2336	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3788	powershell.exe
4500	powershell.exe
3416	powershell.exe

System Time Discovery 1 TTPs 6 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
224	net1.exe
2996	net.exe
4512	net1.exe
2808	net.exe
3860	net1.exe
3800	net.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE	CD5j9fwc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4996	powershell.exe
4996	powershell.exe
4500	powershell.exe
3416	powershell.exe
3788	powershell.exe
3788	powershell.exe
3416	powershell.exe
3416	powershell.exe
4500	powershell.exe
4500	powershell.exe
3788	powershell.exe
912	powershell.exe
912	powershell.exe
2536	powershell.exe
2536	powershell.exe
1520	powershell.exe
1520	powershell.exe
4796	powershell.exe
4796	powershell.exe
4108	powershell.exe
4108	powershell.exe
2296	powershell.exe
2296	powershell.exe
3244	powershell.exe
3244	powershell.exe
1068	powershell.exe
1068	powershell.exe
3756	powershell.exe
3756	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeSystemtimePrivilege	712	svchost.exe
Token: SeSystemtimePrivilege	712	svchost.exe
Token: SeIncBasePriorityPrivilege	712	svchost.exe
Token: SeIncreaseQuotaPrivilege	2616	wmic.exe
Token: SeSecurityPrivilege	2616	wmic.exe
Token: SeTakeOwnershipPrivilege	2616	wmic.exe
Token: SeLoadDriverPrivilege	2616	wmic.exe
Token: SeSystemProfilePrivilege	2616	wmic.exe
Token: SeSystemtimePrivilege	2616	wmic.exe
Token: SeProfSingleProcessPrivilege	2616	wmic.exe
Token: SeIncBasePriorityPrivilege	2616	wmic.exe
Token: SeCreatePagefilePrivilege	2616	wmic.exe
Token: SeBackupPrivilege	2616	wmic.exe
Token: SeRestorePrivilege	2616	wmic.exe
Token: SeShutdownPrivilege	2616	wmic.exe
Token: SeDebugPrivilege	2616	wmic.exe
Token: SeSystemEnvironmentPrivilege	2616	wmic.exe
Token: SeRemoteShutdownPrivilege	2616	wmic.exe
Token: SeUndockPrivilege	2616	wmic.exe
Token: SeManageVolumePrivilege	2616	wmic.exe
Token: 33	2616	wmic.exe
Token: 34	2616	wmic.exe
Token: 35	2616	wmic.exe
Token: 36	2616	wmic.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeIncreaseQuotaPrivilege	2616	wmic.exe
Token: SeSecurityPrivilege	2616	wmic.exe
Token: SeTakeOwnershipPrivilege	2616	wmic.exe
Token: SeLoadDriverPrivilege	2616	wmic.exe
Token: SeSystemProfilePrivilege	2616	wmic.exe
Token: SeSystemtimePrivilege	2616	wmic.exe
Token: SeProfSingleProcessPrivilege	2616	wmic.exe
Token: SeIncBasePriorityPrivilege	2616	wmic.exe
Token: SeCreatePagefilePrivilege	2616	wmic.exe
Token: SeBackupPrivilege	2616	wmic.exe
Token: SeRestorePrivilege	2616	wmic.exe
Token: SeShutdownPrivilege	2616	wmic.exe
Token: SeDebugPrivilege	2616	wmic.exe
Token: SeSystemEnvironmentPrivilege	2616	wmic.exe
Token: SeRemoteShutdownPrivilege	2616	wmic.exe
Token: SeUndockPrivilege	2616	wmic.exe
Token: SeManageVolumePrivilege	2616	wmic.exe
Token: 33	2616	wmic.exe
Token: 34	2616	wmic.exe
Token: 35	2616	wmic.exe
Token: 36	2616	wmic.exe
Token: SeSystemEnvironmentPrivilege	4500	powershell.exe
Token: SeSystemtimePrivilege	712	svchost.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeSystemtimePrivilege	3748	svchost.exe
Token: SeSystemtimePrivilege	3748	svchost.exe
Token: SeIncBasePriorityPrivilege	3748	svchost.exe
Token: SeSystemtimePrivilege	3748	svchost.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4308	CD5j9fwc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4996	4308	CD5j9fwc.exe	83
PID 4308 wrote to memory of 4996	4308	CD5j9fwc.exe	83
PID 4308 wrote to memory of 3800	4308	CD5j9fwc.exe	87
PID 4308 wrote to memory of 3800	4308	CD5j9fwc.exe	87
PID 3800 wrote to memory of 224	3800	net.exe	89
PID 3800 wrote to memory of 224	3800	net.exe	89
PID 4308 wrote to memory of 1400	4308	CD5j9fwc.exe	90
PID 4308 wrote to memory of 1400	4308	CD5j9fwc.exe	90
PID 4308 wrote to memory of 3052	4308	CD5j9fwc.exe	92
PID 4308 wrote to memory of 3052	4308	CD5j9fwc.exe	92
PID 4308 wrote to memory of 2996	4308	CD5j9fwc.exe	94
PID 4308 wrote to memory of 2996	4308	CD5j9fwc.exe	94
PID 2996 wrote to memory of 4512	2996	net.exe	96
PID 2996 wrote to memory of 4512	2996	net.exe	96
PID 4308 wrote to memory of 2616	4308	CD5j9fwc.exe	99
PID 4308 wrote to memory of 2616	4308	CD5j9fwc.exe	99
PID 4308 wrote to memory of 3416	4308	CD5j9fwc.exe	100
PID 4308 wrote to memory of 3416	4308	CD5j9fwc.exe	100
PID 4308 wrote to memory of 3788	4308	CD5j9fwc.exe	102
PID 4308 wrote to memory of 3788	4308	CD5j9fwc.exe	102
PID 4308 wrote to memory of 4500	4308	CD5j9fwc.exe	101
PID 4308 wrote to memory of 4500	4308	CD5j9fwc.exe	101
PID 4308 wrote to memory of 2664	4308	CD5j9fwc.exe	108
PID 4308 wrote to memory of 2664	4308	CD5j9fwc.exe	108
PID 4308 wrote to memory of 4972	4308	CD5j9fwc.exe	110
PID 4308 wrote to memory of 4972	4308	CD5j9fwc.exe	110
PID 4308 wrote to memory of 4292	4308	CD5j9fwc.exe	112
PID 4308 wrote to memory of 4292	4308	CD5j9fwc.exe	112
PID 4308 wrote to memory of 4856	4308	CD5j9fwc.exe	114
PID 4308 wrote to memory of 4856	4308	CD5j9fwc.exe	114
PID 4308 wrote to memory of 912	4308	CD5j9fwc.exe	116
PID 4308 wrote to memory of 912	4308	CD5j9fwc.exe	116
PID 4308 wrote to memory of 2808	4308	CD5j9fwc.exe	118
PID 4308 wrote to memory of 2808	4308	CD5j9fwc.exe	118
PID 2808 wrote to memory of 3860	2808	net.exe	120
PID 2808 wrote to memory of 3860	2808	net.exe	120
PID 4308 wrote to memory of 2536	4308	CD5j9fwc.exe	121
PID 4308 wrote to memory of 2536	4308	CD5j9fwc.exe	121
PID 4308 wrote to memory of 1520	4308	CD5j9fwc.exe	123
PID 4308 wrote to memory of 1520	4308	CD5j9fwc.exe	123
PID 4308 wrote to memory of 780	4308	CD5j9fwc.exe	197
PID 4308 wrote to memory of 780	4308	CD5j9fwc.exe	197
PID 4308 wrote to memory of 3196	4308	CD5j9fwc.exe	129
PID 4308 wrote to memory of 3196	4308	CD5j9fwc.exe	129
PID 4308 wrote to memory of 1932	4308	CD5j9fwc.exe	131
PID 4308 wrote to memory of 1932	4308	CD5j9fwc.exe	131
PID 4308 wrote to memory of 392	4308	CD5j9fwc.exe	133
PID 4308 wrote to memory of 392	4308	CD5j9fwc.exe	133
PID 4308 wrote to memory of 3692	4308	CD5j9fwc.exe	135
PID 4308 wrote to memory of 3692	4308	CD5j9fwc.exe	135
PID 4308 wrote to memory of 2436	4308	CD5j9fwc.exe	137
PID 4308 wrote to memory of 2436	4308	CD5j9fwc.exe	137
PID 4308 wrote to memory of 2360	4308	CD5j9fwc.exe	139
PID 4308 wrote to memory of 2360	4308	CD5j9fwc.exe	139
PID 4308 wrote to memory of 2128	4308	CD5j9fwc.exe	177
PID 4308 wrote to memory of 2128	4308	CD5j9fwc.exe	177
PID 4308 wrote to memory of 860	4308	CD5j9fwc.exe	147
PID 4308 wrote to memory of 860	4308	CD5j9fwc.exe	147
PID 4308 wrote to memory of 548	4308	CD5j9fwc.exe	149
PID 4308 wrote to memory of 548	4308	CD5j9fwc.exe	149
PID 4308 wrote to memory of 4796	4308	CD5j9fwc.exe	151
PID 4308 wrote to memory of 4796	4308	CD5j9fwc.exe	151
PID 4308 wrote to memory of 4108	4308	CD5j9fwc.exe	154
PID 4308 wrote to memory of 4108	4308	CD5j9fwc.exe	154

C:\Users\Admin\AppData\Local\Temp\CD5j9fwc.exe
"C:\Users\Admin\AppData\Local\Temp\CD5j9fwc.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\CD5j9fwc.exe.bak' -force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\SYSTEM32\net.exe
  net stop w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    - System Time Discovery
    PID:224
- C:\Windows\SYSTEM32\w32tm.exe
  w32tm /unregister
  2⤵
  PID:1400
- C:\Windows\SYSTEM32\w32tm.exe
  w32tm /register
  2⤵
  - Server Software Component: Terminal Services DLL
  - Boot or Logon Autostart Execution: Time Providers
  PID:3052
- C:\Windows\SYSTEM32\net.exe
  net start w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start w32time
    3⤵
    - System Time Discovery
    PID:4512
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get VirtualizationFirmwareEnabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "$env:firmware_type"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "confirm-securebootuefi"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3788
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:2664
- C:\Windows\SYSTEM32\w32tm.exe
  w32tm /resync /force
  2⤵
  PID:4972
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:4292
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Drops file in Windows directory
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\SYSTEM32\net.exe
  net stop w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    - System Time Discovery
    PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:780
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:3196
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1932
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:392
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:3692
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:2436
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:2360
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:2128
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:860
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:868
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:5040
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2656
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:1748
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:1380
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:1060
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:4600
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:2864
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:2128
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:560
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:944
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:3896
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:2112
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:4616
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:780
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.diskpart.com/features/convert-mbr-gpt.html
  2⤵
  PID:3232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd82c746f8,0x7ffd82c74708,0x7ffd82c74718
    3⤵
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,18005019491290589014,11321156030667795049,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
    3⤵
    PID:3496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,18005019491290589014,11321156030667795049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
    3⤵
    PID:2780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,18005019491290589014,11321156030667795049,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
    3⤵
    PID:2100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18005019491290589014,11321156030667795049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18005019491290589014,11321156030667795049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
    3⤵
    PID:212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18005019491290589014,11321156030667795049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
    3⤵
    PID:440
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:2296
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:3808
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5040
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:764
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3264
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2112
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2584
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  PID:1420
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  PID:3392
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:864
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:3324
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:5004
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:4868
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:4440
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:3808
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:4024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1380
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1852
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  PID:1420
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  PID:1064
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:1632
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:1008
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:2336
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s w32time
1⤵
- Boot or Logon Autostart Execution: Time Providers
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s w32time
1⤵
- Boot or Logon Autostart Execution: Time Providers
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Create or Modify System Process

T1543

Windows Service

T1543.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f38f2e87072034462d29e33418005aea

SHA1
91c4495517cf8cd28fc1fd1c671ef8e83d1b352e

SHA256
2f20de0b983f07f1ace4472cead5bcd6bc898314f6d3c57a162ff6f01a6fa875

SHA512
57d2f0dce8a0cd47708324ce070d7a48f0f27731d4cf2a24f7c1df644e62181e71b568c8ae770456bf0189937971c1827d5dacd975e2971f54286845e9f3f919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bc3fe800700f725735d3b7f8a54741e7

SHA1
3322d05131f984912aded4d8e3b8d0c69cb81415

SHA256
9bbf8f39ee2a792368fe15fb4a44d3596f7abc626c1b7e7b97d89d512f39e1bc

SHA512
e3992d62f1fbc8cf81c1bbee29a76a249171ca35266f2d5b1c9a76e3c37221d3e4c8b224780a90af045fdbae74b397c3f2884321a30002fbea1997e57e281bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1020B

MD5
cbe76d174c1dbb87f47f12456064834d

SHA1
3ffd0a230c07f887a55e1210197e085fabb5fd4c

SHA256
00d4438d53ec5e4b78f7872bad8d134bf630bdcebe7225b52eece86cbdc8ee13

SHA512
d5146fed0ee5bb861f7c3579cbc084ac299036e31a30e32c517122dcdd8530b791ebca057b71380ba216b2ca14fbea5ea2b6dcf9c270c53b3bf5921b8029520e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
dcfc8aba09e719331baa053a0b1ed67e

SHA1
627fab6b67861f2f7b76dd17cebdc27ae736fedf

SHA256
63222ffc55faf3d7562df64fb7735c7fe8b90052dbf0f5651af9c22d3d8984d9

SHA512
0cbe3c4e957856ed7f055b3e54090d3277f462b5f989da8c89946a3afd0f5d516e5256edf226148db85460d85be4945fb2cb646fc022bfb607594950d7cbd540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_touhowyp.ebi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4308-5-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/4308-0-0x00007FFDA0490000-0x00007FFDA0492000-memory.dmp

Filesize
8KB

Download
memory/4308-89-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/4308-146-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/4308-4-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/4308-3-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/4308-2-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/4308-295-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/4308-1-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/4996-20-0x00007FFDA03F0000-0x00007FFDA05E5000-memory.dmp

Filesize
2.0MB

Download
memory/4996-17-0x0000029FA8180000-0x0000029FA81A2000-memory.dmp

Filesize
136KB

Download
memory/4996-7-0x00007FFDA03F0000-0x00007FFDA05E5000-memory.dmp

Filesize
2.0MB

Download
memory/4996-6-0x00007FFDA03F0000-0x00007FFDA05E5000-memory.dmp

Filesize
2.0MB

Download