01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2024, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SmBRfCiH.exe
Size

27.9MB
MD5

34e055a67b10a1a14994b6b3457698e2
SHA1

6b299dca56f55a0656b23fd035f4353dc049343a
SHA256

01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
SHA512

8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
SSDEEP

786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3

Score

10^/10

defense_evasion discovery evasion execution persistence ransomware themida trojan

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 64 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
2356	fsutil.exe
2936	fsutil.exe
4860	fsutil.exe
116	fsutil.exe
2556	fsutil.exe
760	fsutil.exe
2692	fsutil.exe
428	fsutil.exe
1756	fsutil.exe
4124	fsutil.exe
3228	fsutil.exe
1336	fsutil.exe
4344	fsutil.exe
4416	fsutil.exe
4800	fsutil.exe
4188	fsutil.exe
4388	fsutil.exe
4744	fsutil.exe
3688	fsutil.exe
2608	fsutil.exe
4036	fsutil.exe
1684	fsutil.exe
3012	fsutil.exe
2732	fsutil.exe
3696	fsutil.exe
3392	fsutil.exe
2936	fsutil.exe
1100	fsutil.exe
3136	fsutil.exe
3744	fsutil.exe
2724	fsutil.exe
2816	fsutil.exe
4220	fsutil.exe
2652	fsutil.exe
5020	fsutil.exe
4912	fsutil.exe
4828	fsutil.exe
2592	fsutil.exe
2792	fsutil.exe
4412	fsutil.exe
1552	fsutil.exe
2200	fsutil.exe
1320	fsutil.exe
4044	fsutil.exe
2712	fsutil.exe
1580	fsutil.exe
1184	fsutil.exe
1656	fsutil.exe
1716	fsutil.exe
4992	fsutil.exe
5016	fsutil.exe
4572	fsutil.exe
5056	fsutil.exe
4720	fsutil.exe
4368	fsutil.exe
1144	fsutil.exe
1752	fsutil.exe
4900	fsutil.exe
3724	fsutil.exe
1820	fsutil.exe
4572	fsutil.exe
1512	fsutil.exe
428	fsutil.exe
4504	fsutil.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SmBRfCiH.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmBRfCiH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmBRfCiH.exe

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/868-1-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-2-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-3-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-4-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-5-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-18-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-89-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-158-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-225-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-292-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-359-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-426-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-493-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-560-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-627-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-694-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-758-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-819-0x0000000140000000-0x000000014325E000-memory.dmp	themida
behavioral1/memory/868-880-0x0000000140000000-0x000000014325E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SmBRfCiH.exe

Enumerates connected drives 3 TTPs 54 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
868	SmBRfCiH.exe

Boot or Logon Autostart Execution: Time Providers 1 TTPs 32 IoCs

The Windows Time service (W32Time) enables time synchronization across and within domains.

persistence

Time Providers

T1547.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\EventLogFlags = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainEntryTimeout = "16"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainLoggingRate = "30"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll"	w32tm.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7"	w32tm.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 740069006d0065002e00770069006e0064006f00770073002e0063006f006d002c003700660039003200320031006400000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SignatureAuthAllowed = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxEntries = "128"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "32768"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\RequireSecureTimeSyncRequests = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\Enabled = "0"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\EventLogFlags = "0"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainDisable = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\InputProvider = "0"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxHostEntries = "4"	w32tm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648"	w32tm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\Enabled = "1"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-B1A87C0F.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-145A3777.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\BYTECODEGENERATOR.EXE-C1E9BCE6.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\PfPre_564088f9.mkd	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1589E4C3.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7F337F0A.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0C84305E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\Trace1.fx	powershell.exe
File opened for modification	C:\Windows\Prefetch\DISM.EXE-DE199F71.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7C77C512.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-641DCE1C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-E45D8788.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\AgRobust.db	powershell.exe
File opened for modification	C:\Windows\Prefetch\APPLICATIONFRAMEHOST.EXE-CCEEF759.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-766D3C5B.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7BB97BF6.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E8196656.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\FILESYNCCONFIG.EXE-CB60E6FA.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-3ED30A86.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-A5891C91.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7E8D1C35.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db	powershell.exe
File opened for modification	C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-0FDCD1CB.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-97BCF638.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SGRMBROKER.EXE-0CA31CC6.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-7CFEDEA3.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-4DC9A20E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-EDE0F878.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TEXTINPUTHOST.EXE-4AE33179.pf	powershell.exe
File created	C:\Windows\Fonts\ARIALUNI.TTF	SmBRfCiH.exe
File opened for modification	C:\Windows\Prefetch\AgGlFaultHistory.db	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7BCB4814.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FDF50724.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-EC979AE0.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-FF8EBD82.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-4EFE6110.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-D9106866.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-F027B880.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DISMHOST.EXE-A9D3CACB.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FCAF5656.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-894C9E34.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-C5BE1C43.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\STARTMENUEXPERIENCEHOST.EXE-D80E778C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-AE7DB802.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pf	powershell.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 64 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
1820	powershell.exe
64	powershell.exe
1560	powershell.exe
708	powershell.exe
3984	powershell.exe
3220	powershell.exe
736	powershell.exe
5088	powershell.exe
4312	powershell.exe
4800	powershell.exe
3664	powershell.exe
1612	powershell.exe
2928	powershell.exe
2816	powershell.exe
5048	powershell.exe
452	powershell.exe
2244	powershell.exe
5024	powershell.exe
2564	powershell.exe
3752	powershell.exe
2328	powershell.exe
448	powershell.exe
440	powershell.exe
3000	powershell.exe
4680	powershell.exe
4528	powershell.exe
2616	powershell.exe
2612	powershell.exe
4740	powershell.exe
3036	powershell.exe
1828	powershell.exe
2336	powershell.exe
916	powershell.exe
3992	powershell.exe
2280	powershell.exe
2976	powershell.exe
1644	powershell.exe
2148	powershell.exe
1820	powershell.exe
4588	powershell.exe
2976	powershell.exe
5104	powershell.exe
1120	powershell.exe
1780	powershell.exe
4164	powershell.exe
4568	powershell.exe
4504	powershell.exe
3412	powershell.exe
4328	powershell.exe
3296	powershell.exe
3544	powershell.exe
2008	powershell.exe
60	powershell.exe
4292	powershell.exe
4684	powershell.exe
4040	powershell.exe
4220	powershell.exe
1736	powershell.exe
372	powershell.exe
1308	powershell.exe
3924	powershell.exe
3188	powershell.exe
4052	powershell.exe
228	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1008	sc.exe
4712	sc.exe
3156	sc.exe
512	sc.exe
3236	sc.exe
3660	sc.exe
744	sc.exe
452	sc.exe
3532	sc.exe
864	sc.exe
4992	sc.exe
5024	sc.exe
2848	sc.exe
1656	sc.exe
2620	sc.exe
3408	sc.exe
3572	sc.exe
708	sc.exe
440	sc.exe
636	sc.exe
2940	sc.exe
4388	sc.exe
768	sc.exe
4292	sc.exe
2148	sc.exe
2240	sc.exe
3540	sc.exe
4700	sc.exe
232	sc.exe
864	sc.exe
232	sc.exe
5068	sc.exe
5100	sc.exe
4492	sc.exe
5072	sc.exe
1820	sc.exe
4704	sc.exe
1172	sc.exe
3456	sc.exe
1496	sc.exe
3808	sc.exe
1512	sc.exe
812	sc.exe
2608	sc.exe
2692	sc.exe
4408	sc.exe
1612	sc.exe
4048	sc.exe
2496	sc.exe
4164	sc.exe
664	sc.exe
1684	sc.exe
4380	sc.exe
1048	sc.exe
1392	sc.exe
4944	sc.exe
1596	sc.exe
4564	sc.exe
3340	sc.exe
3712	sc.exe
2116	sc.exe
1920	sc.exe
4704	sc.exe
4404	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
808	powershell.exe
3408	powershell.exe
2196	powershell.exe

System Time Discovery 1 TTPs 6 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
428	net.exe
5040	net1.exe
1120	net.exe
3456	net1.exe
2476	net.exe
1600	net1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE	SmBRfCiH.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2600	powershell.exe
2600	powershell.exe
4052	taskmgr.exe
4052	taskmgr.exe
4684	powershell.exe
4684	powershell.exe
4684	powershell.exe
2196	powershell.exe
2196	powershell.exe
808	powershell.exe
808	powershell.exe
3408	powershell.exe
3408	powershell.exe
2196	powershell.exe
808	powershell.exe
3408	powershell.exe
2564	powershell.exe
2564	powershell.exe
2564	powershell.exe
2732	powershell.exe
2732	powershell.exe
2732	powershell.exe
4504	powershell.exe
4504	powershell.exe
1820	powershell.exe
1820	powershell.exe
2928	powershell.exe
2928	powershell.exe
3752	powershell.exe
3752	powershell.exe
4040	powershell.exe
4040	powershell.exe
64	powershell.exe
64	powershell.exe
916	powershell.exe
916	powershell.exe
4220	powershell.exe
4220	powershell.exe
2328	powershell.exe
2328	powershell.exe
3924	powershell.exe
3924	powershell.exe
3544	powershell.exe
3544	powershell.exe
2976	powershell.exe
2976	powershell.exe
2816	powershell.exe
2816	powershell.exe
1560	powershell.exe
1560	powershell.exe
1644	powershell.exe
1644	powershell.exe
1824	powershell.exe
1824	powershell.exe
448	powershell.exe
448	powershell.exe
5048	powershell.exe
5048	powershell.exe
452	powershell.exe
452	powershell.exe
2008	powershell.exe
2008	powershell.exe
2148	powershell.exe
2148	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	4052	taskmgr.exe
Token: SeSystemProfilePrivilege	4052	taskmgr.exe
Token: SeCreateGlobalPrivilege	4052	taskmgr.exe
Token: 33	4052	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4052	taskmgr.exe
Token: SeSystemtimePrivilege	3788	svchost.exe
Token: SeSystemtimePrivilege	3788	svchost.exe
Token: SeIncBasePriorityPrivilege	3788	svchost.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeIncreaseQuotaPrivilege	2840	wmic.exe
Token: SeSecurityPrivilege	2840	wmic.exe
Token: SeTakeOwnershipPrivilege	2840	wmic.exe
Token: SeLoadDriverPrivilege	2840	wmic.exe
Token: SeSystemProfilePrivilege	2840	wmic.exe
Token: SeSystemtimePrivilege	2840	wmic.exe
Token: SeProfSingleProcessPrivilege	2840	wmic.exe
Token: SeIncBasePriorityPrivilege	2840	wmic.exe
Token: SeCreatePagefilePrivilege	2840	wmic.exe
Token: SeBackupPrivilege	2840	wmic.exe
Token: SeRestorePrivilege	2840	wmic.exe
Token: SeShutdownPrivilege	2840	wmic.exe
Token: SeDebugPrivilege	2840	wmic.exe
Token: SeSystemEnvironmentPrivilege	2840	wmic.exe
Token: SeRemoteShutdownPrivilege	2840	wmic.exe
Token: SeUndockPrivilege	2840	wmic.exe
Token: SeManageVolumePrivilege	2840	wmic.exe
Token: 33	2840	wmic.exe
Token: 34	2840	wmic.exe
Token: 35	2840	wmic.exe
Token: 36	2840	wmic.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeIncreaseQuotaPrivilege	2840	wmic.exe
Token: SeSecurityPrivilege	2840	wmic.exe
Token: SeTakeOwnershipPrivilege	2840	wmic.exe
Token: SeLoadDriverPrivilege	2840	wmic.exe
Token: SeSystemProfilePrivilege	2840	wmic.exe
Token: SeSystemtimePrivilege	2840	wmic.exe
Token: SeProfSingleProcessPrivilege	2840	wmic.exe
Token: SeIncBasePriorityPrivilege	2840	wmic.exe
Token: SeCreatePagefilePrivilege	2840	wmic.exe
Token: SeBackupPrivilege	2840	wmic.exe
Token: SeRestorePrivilege	2840	wmic.exe
Token: SeShutdownPrivilege	2840	wmic.exe
Token: SeDebugPrivilege	2840	wmic.exe
Token: SeSystemEnvironmentPrivilege	2840	wmic.exe
Token: SeRemoteShutdownPrivilege	2840	wmic.exe
Token: SeUndockPrivilege	2840	wmic.exe
Token: SeManageVolumePrivilege	2840	wmic.exe
Token: 33	2840	wmic.exe
Token: 34	2840	wmic.exe
Token: 35	2840	wmic.exe
Token: 36	2840	wmic.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeSystemEnvironmentPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeSystemtimePrivilege	3788	svchost.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
868	SmBRfCiH.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 2600	868	SmBRfCiH.exe	84
PID 868 wrote to memory of 2600	868	SmBRfCiH.exe	84
PID 868 wrote to memory of 428	868	SmBRfCiH.exe	94
PID 868 wrote to memory of 428	868	SmBRfCiH.exe	94
PID 428 wrote to memory of 5040	428	net.exe	96
PID 428 wrote to memory of 5040	428	net.exe	96
PID 868 wrote to memory of 796	868	SmBRfCiH.exe	97
PID 868 wrote to memory of 796	868	SmBRfCiH.exe	97
PID 868 wrote to memory of 2712	868	SmBRfCiH.exe	159
PID 868 wrote to memory of 2712	868	SmBRfCiH.exe	159
PID 868 wrote to memory of 1120	868	SmBRfCiH.exe	101
PID 868 wrote to memory of 1120	868	SmBRfCiH.exe	101
PID 868 wrote to memory of 3224	868	SmBRfCiH.exe	103
PID 868 wrote to memory of 3224	868	SmBRfCiH.exe	103
PID 1120 wrote to memory of 3456	1120	net.exe	105
PID 1120 wrote to memory of 3456	1120	net.exe	105
PID 868 wrote to memory of 1596	868	SmBRfCiH.exe	107
PID 868 wrote to memory of 1596	868	SmBRfCiH.exe	107
PID 868 wrote to memory of 3704	868	SmBRfCiH.exe	109
PID 868 wrote to memory of 3704	868	SmBRfCiH.exe	109
PID 868 wrote to memory of 4684	868	SmBRfCiH.exe	111
PID 868 wrote to memory of 4684	868	SmBRfCiH.exe	111
PID 868 wrote to memory of 2840	868	SmBRfCiH.exe	113
PID 868 wrote to memory of 2840	868	SmBRfCiH.exe	113
PID 868 wrote to memory of 3408	868	SmBRfCiH.exe	114
PID 868 wrote to memory of 3408	868	SmBRfCiH.exe	114
PID 868 wrote to memory of 2196	868	SmBRfCiH.exe	116
PID 868 wrote to memory of 2196	868	SmBRfCiH.exe	116
PID 868 wrote to memory of 808	868	SmBRfCiH.exe	117
PID 868 wrote to memory of 808	868	SmBRfCiH.exe	117
PID 868 wrote to memory of 2564	868	SmBRfCiH.exe	151
PID 868 wrote to memory of 2564	868	SmBRfCiH.exe	151
PID 868 wrote to memory of 2732	868	SmBRfCiH.exe	123
PID 868 wrote to memory of 2732	868	SmBRfCiH.exe	123
PID 868 wrote to memory of 3584	868	SmBRfCiH.exe	125
PID 868 wrote to memory of 3584	868	SmBRfCiH.exe	125
PID 868 wrote to memory of 3136	868	SmBRfCiH.exe	127
PID 868 wrote to memory of 3136	868	SmBRfCiH.exe	127
PID 868 wrote to memory of 4572	868	SmBRfCiH.exe	129
PID 868 wrote to memory of 4572	868	SmBRfCiH.exe	129
PID 868 wrote to memory of 4900	868	SmBRfCiH.exe	131
PID 868 wrote to memory of 4900	868	SmBRfCiH.exe	131
PID 868 wrote to memory of 1384	868	SmBRfCiH.exe	133
PID 868 wrote to memory of 1384	868	SmBRfCiH.exe	133
PID 868 wrote to memory of 1160	868	SmBRfCiH.exe	135
PID 868 wrote to memory of 1160	868	SmBRfCiH.exe	135
PID 868 wrote to memory of 2148	868	SmBRfCiH.exe	137
PID 868 wrote to memory of 2148	868	SmBRfCiH.exe	137
PID 868 wrote to memory of 3660	868	SmBRfCiH.exe	139
PID 868 wrote to memory of 3660	868	SmBRfCiH.exe	139
PID 868 wrote to memory of 2476	868	SmBRfCiH.exe	141
PID 868 wrote to memory of 2476	868	SmBRfCiH.exe	141
PID 2476 wrote to memory of 1600	2476	net.exe	143
PID 2476 wrote to memory of 1600	2476	net.exe	143
PID 868 wrote to memory of 3256	868	SmBRfCiH.exe	144
PID 868 wrote to memory of 3256	868	SmBRfCiH.exe	144
PID 868 wrote to memory of 5024	868	SmBRfCiH.exe	146
PID 868 wrote to memory of 5024	868	SmBRfCiH.exe	146
PID 868 wrote to memory of 64	868	SmBRfCiH.exe	148
PID 868 wrote to memory of 64	868	SmBRfCiH.exe	148
PID 868 wrote to memory of 4504	868	SmBRfCiH.exe	150
PID 868 wrote to memory of 4504	868	SmBRfCiH.exe	150
PID 868 wrote to memory of 1820	868	SmBRfCiH.exe	152
PID 868 wrote to memory of 1820	868	SmBRfCiH.exe	152

C:\Users\Admin\AppData\Local\Temp\SmBRfCiH.exe
"C:\Users\Admin\AppData\Local\Temp\SmBRfCiH.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\SmBRfCiH.exe.bak' -force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\SYSTEM32\net.exe
  net stop w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    - System Time Discovery
    PID:5040
- C:\Windows\SYSTEM32\w32tm.exe
  w32tm /unregister
  2⤵
  PID:796
- C:\Windows\SYSTEM32\w32tm.exe
  w32tm /register
  2⤵
  - Server Software Component: Terminal Services DLL
  - Boot or Logon Autostart Execution: Time Providers
  PID:2712
- C:\Windows\SYSTEM32\net.exe
  net start w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start w32time
    3⤵
    - System Time Discovery
    PID:3456
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:3224
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:1596
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:3704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Drops file in Windows directory
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get VirtualizationFirmwareEnabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "confirm-securebootuefi"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "$env:firmware_type"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\SYSTEM32\w32tm.exe
  w32tm /resync /force
  2⤵
  PID:3584
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:3136
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4572
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4900
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:1384
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:1160
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:2148
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:3660
- C:\Windows\SYSTEM32\net.exe
  net stop w32time
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    - System Time Discovery
    PID:1600
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:3256
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:5024
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:64
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:3744
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Enumerates connected drives
  PID:4368
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2712
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2936
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:3800
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:3664
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:2976
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:2672
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:4024
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:4564
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:64
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:4504
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4828
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:3228
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:2280
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:2608
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:4164
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:1008
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:1488
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:2304
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:3772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:4220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  PID:2816
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4044
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1716
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:3808
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:1736
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:4200
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:1680
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:3228
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:2280
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2592
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1684
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2792
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:4404
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:708
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:744
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:2328
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:2464
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:220
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:1644
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2724
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Enumerates connected drives
  PID:4032
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4860
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:5100
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:4812
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:1892
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:4524
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:3744
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:2240
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1752
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4992
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Enumerates connected drives
  PID:4888
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:2228
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:4492
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:1656
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:2620
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:1232
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:3696
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:4412
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4388
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1336
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:4448
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:3540
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:2692
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:4700
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:4820
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:5072
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:3544
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  PID:2548
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2712
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4744
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:4424
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:2328
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:3704
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:744
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:4748
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:4712
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1120
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:3012
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Enumerates connected drives
  PID:3800
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:116
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:216
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:4408
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:4892
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:452
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:4052
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:3744
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:1100
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:3688
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1580
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2816
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:1820
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:2912
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:232
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:2228
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:1596
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:3340
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:60
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1552
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2556
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Enumerates connected drives
  PID:3992
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:2096
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:2224
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:4428
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:4388
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:3324
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:864
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:3688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:2616
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:5056
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:760
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4344
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:3112
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:4544
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:440
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:936
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:4184
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:1164
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:4220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3984
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:4720
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2692
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Enumerates connected drives
  PID:1720
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:1580
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:1172
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:264
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:636
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:1820
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:2988
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:3456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:440
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:3724
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4416
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4220
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:3712
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:2556
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:4732
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:2448
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:3128
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4804
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:1580
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:4368
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2732
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1820
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:1048
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:1152
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:664
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:3520
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:5104
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:3800
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:3936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1780
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:3392
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Enumerates connected drives
  PID:3128
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Enumerates connected drives
  PID:3992
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:2116
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:768
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:1920
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:2464
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:2928
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:2692
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3220
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2936
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:3696
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4800
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:3156
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:5068
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:2940
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:4184
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:3160
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4676
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:4704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3992
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:2608
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:5016
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:428
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:2912
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:4528
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:2304
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:232
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:3340
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:4048
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:372
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  PID:2232
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2652
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4188
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:5040
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:2848
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:1144
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:2356
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:3324
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:4804
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:3808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:2280
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:5020
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Enumerates connected drives
  PID:1820
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Enumerates connected drives
  PID:4820
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:3532
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:512
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:3588
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:760
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:3624
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:2496
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1308
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  PID:2848
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1144
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2356
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:4476
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:4448
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:2116
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:404
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:4116
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:4992
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:5088
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  PID:1892
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1756
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Enumerates connected drives
  PID:2956
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:4140
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:2340
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:5068
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:3412
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:2240
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:1512
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:4708
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:428
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1100
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4572
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:3408
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:1320
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:2780
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  - Launches sc.exe
  PID:3572
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:2280
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:3176
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:3236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:3296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:2340
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1184
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4124
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:2200
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:1372
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  - Launches sc.exe
  PID:4704
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:4052
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:4944
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:3668
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:4380
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4292
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  - Deletes NTFS Change Journal
  PID:1656
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1320
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4912
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  PID:3292
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:1828
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  - Launches sc.exe
  PID:812
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:4368
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:1008
- C:\Windows\SYSTEM32\sc.exe
  sc stop "PcaSvc"
  2⤵
  PID:5020
- C:\Windows\SYSTEM32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  PID:1184
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d C:
  2⤵
  PID:2284
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d D:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:1512
- C:\Windows\SYSTEM32\fsutil.exe
  fsutil usn deletejournal /d F:
  2⤵
  - Deletes NTFS Change Journal
  - Enumerates connected drives
  PID:4036
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SysMain"
  2⤵
  - Launches sc.exe
  PID:4944
- C:\Windows\SYSTEM32\sc.exe
  sc config "SysMain" start=disabled
  2⤵
  PID:3056
- C:\Windows\SYSTEM32\sc.exe
  sc stop "SuperFetch"
  2⤵
  PID:4676
- C:\Windows\SYSTEM32\sc.exe
  sc config "SuperFetch" start=disabled
  2⤵
  PID:4476

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s w32time
1⤵
- Boot or Logon Autostart Execution: Time Providers
- Suspicious use of AdjustPrivilegeToken
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Create or Modify System Process

T1543

Windows Service

T1543.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Time Providers

T1547.003

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
9d737602ce1294db9496f81f7d1b9b70

SHA1
c0ce66d5335f1d614f640d220791503a2ca0effb

SHA256
5bb96b5d8122947006a759fc4a5e31f34f5d34360cb55448b85cd8f7a3346be8

SHA512
f4af041dc8a8ebc7bbb1b70ea0e19802d78456dae46f2ffba3dc3be6011a993acca001b9701f1a3e3e3b480ed3b3f8d9589e0f1da2b819555e60d8196b119f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
894afb4ff3cd7ee1f69400e936f8fc9d

SHA1
aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51

SHA256
20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9

SHA512
449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
35ed7b59fa28d08bb3b1816249204936

SHA1
80cde2110c452e61bd64d6ae6bd6ab0c6e1f2d8d

SHA256
49af4fe7f3f7a5e944bb74684c92c50c7424309ef148c97de885c1ad86ac08e1

SHA512
cf787a4b9e049ec69002e326f42441ae3e9d271684b7f370c1edb1f17764d0e04134ff36675a0e60a7815869ddaf3375230a204e37fdd83a270b9595564fb64d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1020B

MD5
f7008ed1313695169be572150801235c

SHA1
c14a9659b8c619060ccd826002cb31ef6da24b69

SHA256
e255e081f9ad6eb39ec2912a50720570563621bf6ecdcd6036ec94c6a4b30751

SHA512
027df89bf352f08b56df82d8cb00e1699b4d1f3e5799047beb967d189a414a98257eab11b8b96f445ff0e67e9a87d21cc926a425bac6996a29abf043f5cc8aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jreacsja.kry.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/868-158-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-5-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-880-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-18-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-819-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-758-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-1-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-4-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-3-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-89-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-694-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-2-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-426-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-225-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-292-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-359-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-0-0x00007FFCF26D0000-0x00007FFCF26D2000-memory.dmp

Filesize
8KB

Download
memory/868-493-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-560-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/868-627-0x0000000140000000-0x000000014325E000-memory.dmp

Filesize
50.4MB

Download
memory/2600-7-0x00007FFCF2630000-0x00007FFCF2825000-memory.dmp

Filesize
2.0MB

Download
memory/2600-6-0x00007FFCF2630000-0x00007FFCF2825000-memory.dmp

Filesize
2.0MB

Download
memory/2600-13-0x000001FE4B3B0000-0x000001FE4B3D2000-memory.dmp

Filesize
136KB

Download
memory/2600-21-0x00007FFCF2630000-0x00007FFCF2825000-memory.dmp

Filesize
2.0MB

Download