f7f624d237f1d81858259c1783be9c7a605fe260b22092af064bc91035010fef

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Holzer.exe
Size

135KB
MD5

c971c68b4e58ccc82802b21ae8488bc7
SHA1

7305f3a0a0a0d489e0bcf664353289f61556de77
SHA256

cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce
SHA512

ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7
SSDEEP

3072:2EYGNIaWY/0kTKxIJXtJ0YCHiQtSetFITTTTTHvvvvvNKB:HN5TKvr9PuKB

Score

8^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Holzer.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Holzer.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6848	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\F:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\I:	cleanmgr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Holzer.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setupact.log	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setuperr.log	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagerr.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagwrn.xml	cleanmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
6464	6660	WerFault.exe	247
5128	4672	WerFault.exe	135
5772	6660	WerFault.exe	247

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	bootcfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bootcfg.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkntfs.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
6656	ipconfig.exe
7344	NETSTAT.EXE

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	certreq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	certreq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	calc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	certreq.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
7984	PING.EXE

Runs regedit.exe 2 IoCs

pid	Process
8416	regedit.exe
8660	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4956	Holzer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: 33	4708	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4708	AUDIODG.EXE
Token: SeSystemtimePrivilege	4956	Holzer.exe
Token: SeSystemtimePrivilege	4956	Holzer.exe
Token: SeSystemtimePrivilege	4956	Holzer.exe
Token: SeSystemtimePrivilege	4956	Holzer.exe
Token: SeShutdownPrivilege	2720	svchost.exe
Token: SeShutdownPrivilege	2720	svchost.exe
Token: SeCreatePagefilePrivilege	2720	svchost.exe
Token: SeSecurityPrivilege	3320	auditpol.exe
Token: SeSystemtimePrivilege	4956	Holzer.exe
Token: SeSystemtimePrivilege	4956	Holzer.exe
Token: SeSystemtimePrivilege	4956	Holzer.exe
Token: SeBackupPrivilege	936	vssvc.exe
Token: SeRestorePrivilege	936	vssvc.exe
Token: SeAuditPrivilege	936	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5104	OpenWith.exe
2516	certreq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4624	4956	Holzer.exe	98
PID 4956 wrote to memory of 4624	4956	Holzer.exe	98
PID 4956 wrote to memory of 4624	4956	Holzer.exe	98
PID 4956 wrote to memory of 2496	4956	Holzer.exe	99
PID 4956 wrote to memory of 2496	4956	Holzer.exe	99
PID 4956 wrote to memory of 2496	4956	Holzer.exe	99
PID 4956 wrote to memory of 5012	4956	Holzer.exe	102
PID 4956 wrote to memory of 5012	4956	Holzer.exe	102
PID 4956 wrote to memory of 5012	4956	Holzer.exe	102
PID 4956 wrote to memory of 5020	4956	Holzer.exe	104
PID 4956 wrote to memory of 5020	4956	Holzer.exe	104
PID 4956 wrote to memory of 5020	4956	Holzer.exe	104
PID 4956 wrote to memory of 1676	4956	Holzer.exe	106
PID 4956 wrote to memory of 1676	4956	Holzer.exe	106
PID 4956 wrote to memory of 1676	4956	Holzer.exe	106
PID 4956 wrote to memory of 2636	4956	Holzer.exe	108
PID 4956 wrote to memory of 2636	4956	Holzer.exe	108
PID 4956 wrote to memory of 2636	4956	Holzer.exe	108
PID 4956 wrote to memory of 3320	4956	Holzer.exe	109
PID 4956 wrote to memory of 3320	4956	Holzer.exe	109
PID 4956 wrote to memory of 3320	4956	Holzer.exe	109
PID 4956 wrote to memory of 1512	4956	Holzer.exe	115
PID 4956 wrote to memory of 1512	4956	Holzer.exe	115
PID 4956 wrote to memory of 1512	4956	Holzer.exe	115
PID 4956 wrote to memory of 2772	4956	Holzer.exe	116
PID 4956 wrote to memory of 2772	4956	Holzer.exe	116
PID 4956 wrote to memory of 2772	4956	Holzer.exe	116
PID 4956 wrote to memory of 2292	4956	Holzer.exe	117
PID 4956 wrote to memory of 2292	4956	Holzer.exe	117
PID 4956 wrote to memory of 2292	4956	Holzer.exe	117
PID 4956 wrote to memory of 3328	4956	Holzer.exe	119
PID 4956 wrote to memory of 3328	4956	Holzer.exe	119
PID 4956 wrote to memory of 3328	4956	Holzer.exe	119
PID 4956 wrote to memory of 872	4956	Holzer.exe	121
PID 4956 wrote to memory of 872	4956	Holzer.exe	121
PID 4956 wrote to memory of 872	4956	Holzer.exe	121
PID 4956 wrote to memory of 1136	4956	Holzer.exe	123
PID 4956 wrote to memory of 1136	4956	Holzer.exe	123
PID 4956 wrote to memory of 1136	4956	Holzer.exe	123
PID 4956 wrote to memory of 2824	4956	Holzer.exe	125
PID 4956 wrote to memory of 2824	4956	Holzer.exe	125
PID 4956 wrote to memory of 2824	4956	Holzer.exe	125
PID 4956 wrote to memory of 4520	4956	Holzer.exe	127
PID 4956 wrote to memory of 4520	4956	Holzer.exe	127
PID 4956 wrote to memory of 4520	4956	Holzer.exe	127
PID 4956 wrote to memory of 3288	4956	Holzer.exe	128
PID 4956 wrote to memory of 3288	4956	Holzer.exe	128
PID 4956 wrote to memory of 3288	4956	Holzer.exe	128
PID 4956 wrote to memory of 5044	4956	Holzer.exe	130
PID 4956 wrote to memory of 5044	4956	Holzer.exe	130
PID 4956 wrote to memory of 5044	4956	Holzer.exe	130
PID 4956 wrote to memory of 2516	4956	Holzer.exe	131
PID 4956 wrote to memory of 2516	4956	Holzer.exe	131
PID 4956 wrote to memory of 2516	4956	Holzer.exe	131
PID 4956 wrote to memory of 2288	4956	Holzer.exe	133
PID 4956 wrote to memory of 2288	4956	Holzer.exe	133
PID 4956 wrote to memory of 2288	4956	Holzer.exe	133
PID 4956 wrote to memory of 3652	4956	Holzer.exe	136
PID 4956 wrote to memory of 3652	4956	Holzer.exe	136
PID 4956 wrote to memory of 3652	4956	Holzer.exe	136
PID 4956 wrote to memory of 1012	4956	Holzer.exe	137
PID 4956 wrote to memory of 1012	4956	Holzer.exe	137
PID 4956 wrote to memory of 1012	4956	Holzer.exe	137
PID 4956 wrote to memory of 4348	4956	Holzer.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Holzer.exe
"C:\Users\Admin\AppData\Local\Temp\Holzer.exe"
1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  "C:\Windows\System32\agentactivationruntimestarter.exe"
  2⤵
  PID:4624
- C:\Windows\SysWOW64\appidtel.exe
  "C:\Windows\System32\appidtel.exe"
  2⤵
  PID:2496
- C:\Windows\SysWOW64\ARP.EXE
  "C:\Windows\System32\ARP.EXE"
  2⤵
  PID:5012
- C:\Windows\SysWOW64\at.exe
  "C:\Windows\System32\at.exe"
  2⤵
  PID:5020
- C:\Windows\SysWOW64\AtBroker.exe
  "C:\Windows\System32\AtBroker.exe"
  2⤵
  PID:1676
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe"
  2⤵
  - Views/modifies file attributes
  PID:2636
- C:\Windows\SysWOW64\auditpol.exe
  "C:\Windows\System32\auditpol.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\System32\autochk.exe"
  2⤵
  PID:1488
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\System32\autoconv.exe"
  2⤵
  PID:1292
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\System32\autofmt.exe"
  2⤵
  PID:5108
- C:\Windows\SysWOW64\backgroundTaskHost.exe
  "C:\Windows\System32\backgroundTaskHost.exe"
  2⤵
  PID:1512
- C:\Windows\SysWOW64\BackgroundTransferHost.exe
  "C:\Windows\System32\BackgroundTransferHost.exe"
  2⤵
  PID:2772
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe"
  2⤵
  PID:2292
- C:\Windows\SysWOW64\bootcfg.exe
  "C:\Windows\System32\bootcfg.exe"
  2⤵
  - Checks processor information in registry
  PID:3328
- C:\Windows\SysWOW64\bthudtask.exe
  "C:\Windows\System32\bthudtask.exe"
  2⤵
  PID:872
- C:\Windows\SysWOW64\ByteCodeGenerator.exe
  "C:\Windows\System32\ByteCodeGenerator.exe"
  2⤵
  PID:1136
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe"
  2⤵
  PID:2824
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - Modifies registry class
  PID:4520
- C:\Windows\SysWOW64\CameraSettingsUIHost.exe
  "C:\Windows\System32\CameraSettingsUIHost.exe"
  2⤵
  PID:3288
- C:\Windows\SysWOW64\CertEnrollCtrl.exe
  "C:\Windows\System32\CertEnrollCtrl.exe"
  2⤵
  PID:5044
- C:\Windows\SysWOW64\certreq.exe
  "C:\Windows\System32\certreq.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2516
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe"
  2⤵
  PID:2288
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  PID:3652
- C:\Windows\SysWOW64\CheckNetIsolation.exe
  "C:\Windows\System32\CheckNetIsolation.exe"
  2⤵
  PID:1012
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\System32\chkdsk.exe"
  2⤵
  - Enumerates system info in registry
  PID:4348
- C:\Windows\SysWOW64\chkntfs.exe
  "C:\Windows\System32\chkntfs.exe"
  2⤵
  - Enumerates system info in registry
  PID:1684
- C:\Windows\SysWOW64\choice.exe
  "C:\Windows\System32\choice.exe"
  2⤵
  PID:632
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe"
  2⤵
  PID:1660
- C:\Windows\SysWOW64\cleanmgr.exe
  "C:\Windows\System32\cleanmgr.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in System32 directory
  PID:3228
- C:\Windows\SysWOW64\cliconfg.exe
  "C:\Windows\System32\cliconfg.exe"
  2⤵
  PID:2944
- C:\Windows\SysWOW64\clip.exe
  "C:\Windows\System32\clip.exe"
  2⤵
  PID:4324
- C:\Windows\SysWOW64\CloudNotifications.exe
  "C:\Windows\System32\CloudNotifications.exe"
  2⤵
  PID:4124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2156
- C:\Windows\SysWOW64\cmdkey.exe
  "C:\Windows\System32\cmdkey.exe"
  2⤵
  PID:3248
- C:\Windows\SysWOW64\cmdl32.exe
  "C:\Windows\System32\cmdl32.exe"
  2⤵
  PID:64
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\System32\cmmon32.exe"
  2⤵
  PID:2784
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\System32\cmstp.exe"
  2⤵
  PID:1568
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\System32\colorcpl.exe"
  2⤵
  PID:1952
- C:\Windows\SysWOW64\comp.exe
  "C:\Windows\System32\comp.exe"
  2⤵
  PID:5108
- C:\Windows\SysWOW64\compact.exe
  "C:\Windows\System32\compact.exe"
  2⤵
  PID:400
- C:\Windows\SysWOW64\ComputerDefaults.exe
  "C:\Windows\System32\ComputerDefaults.exe"
  2⤵
  PID:3972
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:1112
- C:\Windows\SysWOW64\convert.exe
  "C:\Windows\System32\convert.exe"
  2⤵
  PID:3756
- C:\Windows\SysWOW64\CredentialUIBroker.exe
  "C:\Windows\System32\CredentialUIBroker.exe"
  2⤵
  PID:4588
- C:\Windows\SysWOW64\credwiz.exe
  "C:\Windows\System32\credwiz.exe"
  2⤵
  PID:400
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe"
  2⤵
  PID:3452
- C:\Windows\SysWOW64\ctfmon.exe
  "C:\Windows\System32\ctfmon.exe"
  2⤵
  PID:3708
- C:\Windows\SysWOW64\cttune.exe
  "C:\Windows\System32\cttune.exe"
  2⤵
  PID:2252
- C:\Windows\SysWOW64\cttunesvr.exe
  "C:\Windows\System32\cttunesvr.exe"
  2⤵
  PID:1716
- C:\Windows\SysWOW64\curl.exe
  "C:\Windows\System32\curl.exe"
  2⤵
  PID:5156
- C:\Windows\SysWOW64\dccw.exe
  "C:\Windows\System32\dccw.exe"
  2⤵
  PID:5260
- C:\Windows\SysWOW64\dcomcnfg.exe
  "C:\Windows\System32\dcomcnfg.exe"
  2⤵
  PID:5300
- - C:\Windows\system32\mmc.exe
    C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
    3⤵
    PID:5316
- C:\Windows\SysWOW64\ddodiag.exe
  "C:\Windows\System32\ddodiag.exe"
  2⤵
  PID:5348
- C:\Windows\SysWOW64\DevicePairingWizard.exe
  "C:\Windows\System32\DevicePairingWizard.exe"
  2⤵
  PID:5404
- C:\Windows\SysWOW64\dfrgui.exe
  "C:\Windows\System32\dfrgui.exe"
  2⤵
  PID:5480
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\System32\dialer.exe"
  2⤵
  PID:5620
- C:\Windows\SysWOW64\diskpart.exe
  "C:\Windows\System32\diskpart.exe"
  2⤵
  PID:5760
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\System32\diskperf.exe"
  2⤵
  PID:5924
- C:\Windows\SysWOW64\Dism.exe
  "C:\Windows\System32\Dism.exe"
  2⤵
  PID:6076
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:5528
- C:\Windows\SysWOW64\dllhst3g.exe
  "C:\Windows\System32\dllhst3g.exe"
  2⤵
  PID:5912
- C:\Windows\SysWOW64\doskey.exe
  "C:\Windows\System32\doskey.exe"
  2⤵
  PID:6112
- C:\Windows\SysWOW64\dpapimig.exe
  "C:\Windows\System32\dpapimig.exe"
  2⤵
  PID:1988
- C:\Windows\SysWOW64\DpiScaling.exe
  "C:\Windows\System32\DpiScaling.exe"
  2⤵
  PID:6156
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" ms-settings:display
    3⤵
    PID:6216
- C:\Windows\SysWOW64\driverquery.exe
  "C:\Windows\System32\driverquery.exe"
  2⤵
  PID:6300
- C:\Windows\SysWOW64\dtdump.exe
  "C:\Windows\System32\dtdump.exe"
  2⤵
  PID:6424
- C:\Windows\SysWOW64\dvdplay.exe
  "C:\Windows\System32\dvdplay.exe"
  2⤵
  PID:6588
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    /device:dvd
    3⤵
    PID:6632
  - - C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce: /device:dvd
      4⤵
      PID:6716
  - - C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      4⤵
      PID:6724
    - - C:\Windows\system32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        5⤵
        
        PID:6848
- C:\Windows\SysWOW64\DWWIN.EXE
  "C:\Windows\System32\DWWIN.EXE"
  2⤵
  PID:6672
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  PID:6764
- C:\Windows\SysWOW64\EaseOfAccessDialog.exe
  "C:\Windows\System32\EaseOfAccessDialog.exe"
  2⤵
  PID:6856
- C:\Windows\SysWOW64\edpnotify.exe
  "C:\Windows\System32\edpnotify.exe"
  2⤵
  PID:7012
- C:\Windows\SysWOW64\efsui.exe
  "C:\Windows\System32\efsui.exe"
  2⤵
  PID:7108
- C:\Windows\SysWOW64\EhStorAuthn.exe
  "C:\Windows\System32\EhStorAuthn.exe"
  2⤵
  PID:7136
- C:\Windows\SysWOW64\esentutl.exe
  "C:\Windows\System32\esentutl.exe"
  2⤵
  PID:5964
- C:\Windows\SysWOW64\eudcedit.exe
  "C:\Windows\System32\eudcedit.exe"
  2⤵
  PID:6224
- C:\Windows\SysWOW64\eventcreate.exe
  "C:\Windows\System32\eventcreate.exe"
  2⤵
  PID:6552
- C:\Windows\SysWOW64\eventvwr.exe
  "C:\Windows\System32\eventvwr.exe"
  2⤵
  PID:6616
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
    3⤵
    PID:6460
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
      4⤵
      PID:6660
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6660 -s 2040
        5⤵
        Program crash
        
        PID:6464
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6660 -s 2040
        5⤵
        Program crash
        
        PID:5772
- C:\Windows\SysWOW64\expand.exe
  "C:\Windows\System32\expand.exe"
  2⤵
  PID:6692
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe"
  2⤵
  PID:6736
- C:\Windows\SysWOW64\extrac32.exe
  "C:\Windows\System32\extrac32.exe"
  2⤵
  PID:7020
- C:\Windows\SysWOW64\fc.exe
  "C:\Windows\System32\fc.exe"
  2⤵
  PID:7060
- C:\Windows\SysWOW64\find.exe
  "C:\Windows\System32\find.exe"
  2⤵
  PID:7144
- C:\Windows\SysWOW64\findstr.exe
  "C:\Windows\System32\findstr.exe"
  2⤵
  PID:6912
- C:\Windows\SysWOW64\finger.exe
  "C:\Windows\System32\finger.exe"
  2⤵
  PID:6960
- C:\Windows\SysWOW64\fixmapi.exe
  "C:\Windows\System32\fixmapi.exe"
  2⤵
  PID:6220
- C:\Windows\SysWOW64\fltMC.exe
  "C:\Windows\System32\fltMC.exe"
  2⤵
  PID:6420
- C:\Windows\SysWOW64\Fondue.exe
  "C:\Windows\System32\Fondue.exe"
  2⤵
  PID:6428
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  PID:4048
- C:\Windows\SysWOW64\fontview.exe
  "C:\Windows\System32\fontview.exe"
  2⤵
  PID:6652
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe"
  2⤵
  PID:5308
- - C:\Windows\SysWOW64\cmd.exe
    /c echo "1074601791"
    3⤵
    PID:2260
- C:\Windows\SysWOW64\fsquirt.exe
  "C:\Windows\System32\fsquirt.exe"
  2⤵
  PID:7052
- C:\Windows\SysWOW64\fsutil.exe
  "C:\Windows\System32\fsutil.exe"
  2⤵
  PID:7124
- C:\Windows\SysWOW64\ftp.exe
  "C:\Windows\System32\ftp.exe"
  2⤵
  PID:6232
- C:\Windows\SysWOW64\GameBarPresenceWriter.exe
  "C:\Windows\System32\GameBarPresenceWriter.exe"
  2⤵
  PID:6216
- C:\Windows\SysWOW64\GamePanel.exe
  "C:\Windows\System32\GamePanel.exe"
  2⤵
  PID:6424
- C:\Windows\SysWOW64\getmac.exe
  "C:\Windows\System32\getmac.exe"
  2⤵
  PID:4664
- C:\Windows\SysWOW64\gpresult.exe
  "C:\Windows\System32\gpresult.exe"
  2⤵
  PID:3192
- C:\Windows\SysWOW64\gpscript.exe
  "C:\Windows\System32\gpscript.exe"
  2⤵
  PID:6524
- C:\Windows\SysWOW64\gpupdate.exe
  "C:\Windows\System32\gpupdate.exe"
  2⤵
  PID:3292
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe"
  2⤵
  PID:6888
- C:\Windows\SysWOW64\hdwwiz.exe
  "C:\Windows\System32\hdwwiz.exe"
  2⤵
  PID:3592
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\System32\help.exe"
  2⤵
  PID:6668
- C:\Windows\SysWOW64\hh.exe
  "C:\Windows\System32\hh.exe"
  2⤵
  PID:6780
- C:\Windows\SysWOW64\HOSTNAME.EXE
  "C:\Windows\System32\HOSTNAME.EXE"
  2⤵
  PID:4048
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\System32\icacls.exe"
  2⤵
  - Modifies file permissions
  PID:6848
- C:\Windows\SysWOW64\icsunattend.exe
  "C:\Windows\System32\icsunattend.exe"
  2⤵
  PID:5472
- C:\Windows\SysWOW64\ieUnatt.exe
  "C:\Windows\System32\ieUnatt.exe"
  2⤵
  PID:6588
- C:\Windows\SysWOW64\iexpress.exe
  "C:\Windows\System32\iexpress.exe"
  2⤵
  PID:6616
- C:\Windows\SysWOW64\InfDefaultInstall.exe
  "C:\Windows\System32\InfDefaultInstall.exe"
  2⤵
  PID:6660
- C:\Windows\SysWOW64\InputSwitchToastHandler.exe
  "C:\Windows\System32\InputSwitchToastHandler.exe"
  2⤵
  PID:1920
- C:\Windows\SysWOW64\instnm.exe
  "C:\Windows\System32\instnm.exe"
  2⤵
  PID:7116
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe"
  2⤵
  - Gathers network information
  PID:6656
- C:\Windows\SysWOW64\iscsicli.exe
  "C:\Windows\System32\iscsicli.exe"
  2⤵
  PID:3272
- C:\Windows\SysWOW64\iscsicpl.exe
  "C:\Windows\System32\iscsicpl.exe"
  2⤵
  PID:6064
- - C:\Windows\system32\RunDll32.exe
    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL iscsicpl.dll,,0
    3⤵
    PID:7108
- C:\Windows\SysWOW64\isoburn.exe
  "C:\Windows\System32\isoburn.exe"
  2⤵
  PID:2396
- C:\Windows\SysWOW64\ktmutil.exe
  "C:\Windows\System32\ktmutil.exe"
  2⤵
  PID:6040
- C:\Windows\SysWOW64\label.exe
  "C:\Windows\System32\label.exe"
  2⤵
  PID:6588
- C:\Windows\SysWOW64\LaunchTM.exe
  "C:\Windows\System32\LaunchTM.exe"
  2⤵
  PID:1148
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    PID:5960
- C:\Windows\SysWOW64\LaunchWinApp.exe
  "C:\Windows\System32\LaunchWinApp.exe"
  2⤵
  PID:6708
- C:\Windows\SysWOW64\lodctr.exe
  "C:\Windows\System32\lodctr.exe"
  2⤵
  PID:6488
- C:\Windows\SysWOW64\logagent.exe
  "C:\Windows\System32\logagent.exe"
  2⤵
  PID:556
- C:\Windows\SysWOW64\logman.exe
  "C:\Windows\System32\logman.exe"
  2⤵
  PID:6180
- C:\Windows\SysWOW64\Magnify.exe
  "C:\Windows\System32\Magnify.exe"
  2⤵
  PID:4192
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  PID:6488
- C:\Windows\SysWOW64\mavinject.exe
  "C:\Windows\System32\mavinject.exe"
  2⤵
  PID:7240
- C:\Windows\SysWOW64\mcbuilder.exe
  "C:\Windows\System32\mcbuilder.exe"
  2⤵
  PID:7272
- C:\Windows\SysWOW64\mfpmp.exe
  "C:\Windows\System32\mfpmp.exe"
  2⤵
  PID:7364
- C:\Windows\SysWOW64\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  PID:7396
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe"
    3⤵
    PID:7416
- C:\Windows\SysWOW64\mmgaserver.exe
  "C:\Windows\System32\mmgaserver.exe"
  2⤵
  PID:7464
- C:\Windows\SysWOW64\mobsync.exe
  "C:\Windows\System32\mobsync.exe"
  2⤵
  PID:7568
- C:\Windows\SysWOW64\mountvol.exe
  "C:\Windows\System32\mountvol.exe"
  2⤵
  PID:7652
- C:\Windows\SysWOW64\MRINFO.EXE
  "C:\Windows\System32\MRINFO.EXE"
  2⤵
  PID:7756
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\System32\msdt.exe"
  2⤵
  PID:7884
- C:\Windows\SysWOW64\msfeedssync.exe
  "C:\Windows\System32\msfeedssync.exe"
  2⤵
  PID:8104
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe"
  2⤵
  PID:8148
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe"
  2⤵
  PID:3176
- C:\Windows\SysWOW64\msinfo32.exe
  "C:\Windows\System32\msinfo32.exe"
  2⤵
  PID:7172
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:7232
- C:\Windows\SysWOW64\msra.exe
  "C:\Windows\System32\msra.exe"
  2⤵
  PID:408
- - C:\Windows\system32\msra.exe
    "C:\Windows\system32\msra.exe"
    3⤵
    PID:7500
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\System32\mstsc.exe"
  2⤵
  PID:7560
- - C:\Windows\system32\mstsc.exe
    "C:\Windows\System32\mstsc.exe"
    3⤵
    PID:7600
- C:\Windows\SysWOW64\mtstocom.exe
  "C:\Windows\System32\mtstocom.exe"
  2⤵
  PID:7620
- C:\Windows\SysWOW64\MuiUnattend.exe
  "C:\Windows\System32\MuiUnattend.exe"
  2⤵
  PID:7776
- C:\Windows\SysWOW64\ndadmin.exe
  "C:\Windows\System32\ndadmin.exe"
  2⤵
  PID:7848
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe"
  2⤵
  PID:7944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1
    3⤵
    PID:8036
- C:\Windows\SysWOW64\net1.exe
  "C:\Windows\System32\net1.exe"
  2⤵
  PID:8040
- C:\Windows\SysWOW64\netbtugc.exe
  "C:\Windows\System32\netbtugc.exe"
  2⤵
  PID:8124
- C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe
  "C:\Windows\System32\NetCfgNotifyObjectHost.exe"
  2⤵
  PID:1056
- C:\Windows\SysWOW64\netiougc.exe
  "C:\Windows\System32\netiougc.exe"
  2⤵
  PID:7248
- C:\Windows\SysWOW64\Netplwiz.exe
  "C:\Windows\System32\Netplwiz.exe"
  2⤵
  PID:4316
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe"
  2⤵
  PID:8060
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\System32\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:7344
- C:\Windows\SysWOW64\newdev.exe
  "C:\Windows\System32\newdev.exe"
  2⤵
  PID:7736
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7728
- C:\Windows\SysWOW64\nslookup.exe
  "C:\Windows\System32\nslookup.exe"
  2⤵
  PID:396
- C:\Windows\SysWOW64\ntprint.exe
  "C:\Windows\System32\ntprint.exe"
  2⤵
  PID:7936
- C:\Windows\SysWOW64\odbcad32.exe
  "C:\Windows\System32\odbcad32.exe"
  2⤵
  PID:4660
- C:\Windows\SysWOW64\odbcconf.exe
  "C:\Windows\System32\odbcconf.exe"
  2⤵
  PID:7980
- C:\Windows\SysWOW64\OneDriveSetup.exe
  "C:\Windows\System32\OneDriveSetup.exe"
  2⤵
  PID:7652
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /permachine /childprocess /silent /cusid:S-1-5-21-2805025096-2326403612-4231045514-1000
    3⤵
    PID:8508
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe /peruser /childprocess
    3⤵
    PID:8604
- C:\Windows\SysWOW64\openfiles.exe
  "C:\Windows\System32\openfiles.exe"
  2⤵
  PID:8100
- C:\Windows\SysWOW64\OpenWith.exe
  "C:\Windows\System32\OpenWith.exe"
  2⤵
  PID:7788
- C:\Windows\SysWOW64\OposHost.exe
  "C:\Windows\System32\OposHost.exe"
  2⤵
  PID:1056
- C:\Windows\SysWOW64\PackagedCWALauncher.exe
  "C:\Windows\System32\PackagedCWALauncher.exe"
  2⤵
  PID:2188
- C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe
  "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
  2⤵
  PID:5136
- C:\Windows\SysWOW64\PATHPING.EXE
  "C:\Windows\System32\PATHPING.EXE"
  2⤵
  PID:1148
- C:\Windows\SysWOW64\pcaui.exe
  "C:\Windows\System32\pcaui.exe"
  2⤵
  PID:6848
- C:\Windows\SysWOW64\perfhost.exe
  "C:\Windows\System32\perfhost.exe"
  2⤵
  PID:2976
- C:\Windows\SysWOW64\perfmon.exe
  "C:\Windows\System32\perfmon.exe"
  2⤵
  PID:6368
- C:\Windows\SysWOW64\PickerHost.exe
  "C:\Windows\System32\PickerHost.exe"
  2⤵
  PID:3172
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE"
  2⤵
  - Runs ping.exe
  PID:7984
- C:\Windows\SysWOW64\PkgMgr.exe
  "C:\Windows\System32\PkgMgr.exe"
  2⤵
  PID:8128
- C:\Windows\SysWOW64\poqexec.exe
  "C:\Windows\System32\poqexec.exe"
  2⤵
  PID:7976
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe"
  2⤵
  PID:8112
- C:\Windows\SysWOW64\PresentationHost.exe
  "C:\Windows\System32\PresentationHost.exe"
  2⤵
  PID:3196
- C:\Windows\SysWOW64\prevhost.exe
  "C:\Windows\System32\prevhost.exe"
  2⤵
  PID:6968
- C:\Windows\SysWOW64\print.exe
  "C:\Windows\System32\print.exe"
  2⤵
  PID:2860
- C:\Windows\SysWOW64\printui.exe
  "C:\Windows\System32\printui.exe"
  2⤵
  PID:7340
- C:\Windows\SysWOW64\proquota.exe
  "C:\Windows\System32\proquota.exe"
  2⤵
  PID:6848
- C:\Windows\SysWOW64\provlaunch.exe
  "C:\Windows\System32\provlaunch.exe"
  2⤵
  PID:5356
- C:\Windows\SysWOW64\psr.exe
  "C:\Windows\System32\psr.exe"
  2⤵
  PID:5536
- - C:\Windows\system32\psr.exe
    "C:\Windows\system32\psr.exe"
    3⤵
    PID:2208
- C:\Windows\SysWOW64\quickassist.exe
  "C:\Windows\System32\quickassist.exe"
  2⤵
  PID:7960
- C:\Windows\SysWOW64\rasautou.exe
  "C:\Windows\System32\rasautou.exe"
  2⤵
  PID:2848
- C:\Windows\SysWOW64\rasdial.exe
  "C:\Windows\System32\rasdial.exe"
  2⤵
  PID:4800
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\System32\raserver.exe"
  2⤵
  PID:4992
- C:\Windows\SysWOW64\rasphone.exe
  "C:\Windows\System32\rasphone.exe"
  2⤵
  PID:7280
- C:\Windows\SysWOW64\RdpSa.exe
  "C:\Windows\System32\RdpSa.exe"
  2⤵
  PID:6964
- C:\Windows\SysWOW64\RdpSaProxy.exe
  "C:\Windows\System32\RdpSaProxy.exe"
  2⤵
  PID:7284
- - C:\Windows\SysWOW64\RdpSa.exe
    "C:\Windows\system32\RdpSa.exe"
    3⤵
    PID:4800
- C:\Windows\SysWOW64\RdpSaUacHelper.exe
  "C:\Windows\System32\RdpSaUacHelper.exe"
  2⤵
  PID:4688
- C:\Windows\SysWOW64\rdrleakdiag.exe
  "C:\Windows\System32\rdrleakdiag.exe"
  2⤵
  PID:2976
- C:\Windows\SysWOW64\ReAgentc.exe
  "C:\Windows\System32\ReAgentc.exe"
  2⤵
  PID:576
- C:\Windows\SysWOW64\recover.exe
  "C:\Windows\System32\recover.exe"
  2⤵
  PID:8248
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe"
  2⤵
  PID:8308
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe"
  2⤵
  - Runs regedit.exe
  PID:8416
- C:\Windows\SysWOW64\regedt32.exe
  "C:\Windows\System32\regedt32.exe"
  2⤵
  PID:8528
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:8660
- C:\Windows\SysWOW64\regini.exe
  "C:\Windows\System32\regini.exe"
  2⤵
  PID:8644
- C:\Windows\SysWOW64\Register-CimProvider.exe
  "C:\Windows\System32\Register-CimProvider.exe"
  2⤵
  PID:8748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x3b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv NqchV2hZ4kudJnugCTGUSw.0
1⤵
PID:4332

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv Y8YXpuug70qZhTw6PSVE1A.0
1⤵
PID:3952

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv W+sRDcCy9kWBpT7/QpRL4w.0
1⤵
PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:3840

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5488
- C:\Windows\system32\dashost.exe
  dashost.exe {5c112d95-8ebe-41a6-a6ffa04ce3df45c2}
  2⤵
  PID:5628
- C:\Windows\system32\dashost.exe
  dashost.exe {1880e411-cf8d-49b2-8d0b3137bbbeb990}
  2⤵
  PID:5748
- C:\Windows\system32\dashost.exe
  dashost.exe {38db01c6-ca37-4a00-96f0e4c2ee8b94e4}
  2⤵
  PID:3484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5712

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:5808

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:6040

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv PysQ1dYU0U+A5AhEOCqa7w.0
1⤵
PID:5512

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:5944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:5360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:6372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 6660 -ip 6660
1⤵
PID:6240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 4672 -ip 4672
1⤵
PID:1048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4672 -s 776
1⤵
- Program crash
PID:5128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 6660 -ip 6660
1⤵
PID:6960

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:7976

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /32
1⤵
PID:6612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
1f3fcc494ea3b4ddd64480fade23f756

SHA1
239a0e1a501fd266e5b9e11e30b1c21d76c9861c

SHA256
38e9f248c8276c700f7de9b62a7dac64100fc2e6d6d32401a9408b8fe787a5ca

SHA512
acc9a0c6f46b7d40238a3560b5b50fabe6d27c487c1b6b59232be4a41d40047216424ad8cce6482bc6c58cfa66281db5e7f075a6c934a0fde5d051420cf7f14c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
fc4a51fcf0c45f16b9355f2ba6050e1c

SHA1
be5229750bae1f5ef5f57a842fa49fc28b8fa53e

SHA256
ee3f750c27bc228363632eceff4ef5ecc3df4931be68941e2decf946ce28f4b0

SHA512
9da89f480e35af1b2d9366ef28735faee4c3c5cc72d9febf4dd286fc8fab6907a314fdf8da3ec3c8f7c207df1f60cec136c43f5e1d154a795d13482b21b180a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
2f39741c47ba2cb5c3a04c567774cd6a

SHA1
c9da2d2bccb76231b1d573515cc38e04480d14fb

SHA256
fa4b39c9700bc24d9d00c3c054d5a04116b1a4d2bb4685489010362376bf8b33

SHA512
c85e8bee05b1847ae05abe47d946558b55a581db7a8aa7ab69cf35fafd5852d3e73cc776b3a47c8594cfb98b70d92135a47e121956f89272a2640dd62645686c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
5c2485f5a8f53125fa98ad938976c78d

SHA1
ea1df2060f7ba4832c5e96345871c5f340708139

SHA256
ede5f028410b71ee5df77fc1f59e3177f6860d0176685e674187ca6036711db7

SHA512
8ca4175f7345e59ea6a3ea00c39f6d6147ff82499f3e946a6fab5cfd8956798648438c268285536d4381d7cdfe209055ad20c76ed949216eefb7ab98ebf924a6

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
196KB

MD5
8e01d96419f899fc0fa2ae430d56bc01

SHA1
ac10279257c40101283b1ba09e3e35cb0ed011b5

SHA256
b2523814d1e12cfaf3a90bcd7dde7ac239337424dad06870ddacd310bef124f5

SHA512
0285062783d6825980b7d7acefa9b48bb517b3c968fb2a836175cc4b63cb4edd5c23bf22867ff41bba9bbcb38dea6172af9fa566767b715fefce8a3044a61929

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
12KB

MD5
ffda0db45f5932ec7cad8fb9368d2531

SHA1
8cbfb35b16f564f727756053f3a0899458691aec

SHA256
9afc0bde7fbf0615caa91e43e81a2cf7603814d92ad48cb6cb2ad70fe0043db6

SHA512
2c92d59452c772f29ae4b69f8afe9637c5cc69b9366376439d57a3874bc886bfa2428ea9217473ae08a8d0acc88d5fd2f3559714fab397eb97d4de9442660467

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
14KB

MD5
8ddfe46a07f62fe06e712e7d459245c7

SHA1
e7e542e9986807ed79ea7f3a1462044328359eca

SHA256
44390d0a92204c1cc1354ec13c63aed07dbd02531399d1e9c09b46b1022e387a

SHA512
314e4bb4f0195f68e0f22b839d376fa158d02beac5d601e353215521ce65cdd1950b9a787a936078e102af4e0f88f2c1d6ef69f0400ddb124fde589d55f3e4a8

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
16KB

MD5
ba471f525e69bd03b9e2bca5c4f32ff1

SHA1
0505d8593fac41fd2a7e97b2332e9eb908e87a9b

SHA256
0573f0675374e6f91c5019ac4ab28d5b7b801685b1df77ee1f9a98c02d77a726

SHA512
f4b8552e88da1734ffb1d985cd4c1408f3e203ad0417f77aa10796b8ea8ade180aa4e0db84ff14da068d6d82579b5e97a77fde52759ae3d57016d7310fdbdd8c

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
14KB

MD5
3d34672c8d6c006b05eb275222efe3a9

SHA1
bb310d4e5744284ff55478a975f96f69a5f31409

SHA256
e2831ed9dbe159df1d27711455075e155b2e4288e0afcc6c8fe1b1fe040eb836

SHA512
a53bff1d86a407b5193913433481a7ec1f40fffda61d4976febe3b300be4585e037ffcacf5fa613c6cd814100a2f17dbb7ee9af58d68ca99747a5e82acd20330

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
15KB

MD5
e53dba772140954327707dfead6b66c3

SHA1
779207780fd8ff003c3ab7c7a96ab999ab4392fd

SHA256
dd00250ab08cbf1207723d9ce57629c480e554383880c67e4e096cebbd1ce91c

SHA512
e60194e53fda319cb47f537234826633cdfbf3e4789f258105db901887fd909d3fd1af2261e9d6aa2e54451f4f12a344b8c7732d6a08b2b8be89a821db13e84c

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
17KB

MD5
5fbeb429769773fcf1ceb9aea7544ebc

SHA1
c0a6b75c02388a5ce73f9efb8d6b7000d5210159

SHA256
67ca7cc4aba609ac8a4a0912a00662924f24eedd69b07c37977fffa45410c990

SHA512
bc0b9f93fdab3f0d01c3ce923ee101d2c196213ac09846844d9e1bed1d939d2ac19c80c335dbe62b42b086f4f11d697d4e1a80db5be63c597d929b1a99b3a800

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
47KB

MD5
4b044130452f1f010b550d3c45b101bb

SHA1
ec610f71a24ccfa363d39eed8c357b7f7c915075

SHA256
20f50cb6489b6717d58c42bb297619d69227da4b1423e927966ae96720ccc91a

SHA512
8d86a1b33f3510607e91f86a444b5f4a34381b4e338ab22f24bb690f510ac09d899ead9e514e4d225e2b9f020c18d06c9f346b25b640f604310de4cf66e9ff1a

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
47KB

MD5
90b1051ffbcfd4e8079adce4070869de

SHA1
82a351196fdcb014fd7d835461ccddbdcca27ead

SHA256
5962757574ef0c7036cea1bfeb21fe248d312fe63ce6b791914679cf557d4d61

SHA512
9c78cb4f0b8028b48b9f5886ae7a7cab0f7566ea65a3e4683c6a867dbf3e351da1c56dee5f1a7fabfbf2c204d2bca83dc17ddd7f209d118e6afa3e809e96f600

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
47KB

MD5
312f26126420c9df9072912e15e375ef

SHA1
1c98c90242cacdcb85943dbcee98ff516585cdfd

SHA256
682cee612d4a2e548fa2d36a453619af6003f2ad66d95000709cf905a7cb5b2e

SHA512
4cb97d44987a346c7ed41788feff531ca5e66d524bcc82da43dcf44781b30805e91cfc3995c8bf8138d129204e7934b3cd0b396d37d6738d30dde0302e2efe2e

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
533B

MD5
c1519eb37db2bda40b9c8cd803c28c52

SHA1
5819a680eed02ecdaa5a11f072085716cf555120

SHA256
eb555178564e62431c98d782aa0d3a72cd8d5ed5a6526f33e50f298be15ba34f

SHA512
f621dbd87b7afffc5008384b2dfa4acdeb11efd4750475ae4b2fc91448034c0f139f90d441a95dd19d94d987e0915e2f0da1c665ab121c8f92b373f65124d7a5

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
813B

MD5
8aef8a4f132b1794361a82d776c992f7

SHA1
c6afd994c796223e7e77579c3f232870a524379c

SHA256
26bc4831d6e04dee51569776593e5a6ff0a3c0609d9a25cca222800a92cee53c

SHA512
eb005c8591ab046d4d5fe2cba0ae3f728a0d66b9a01bcfbaa0975202c63b95885ae5bd5f830695df591ef15e7ec4c604beb1c111b65ccd8445c7dadbc54cfa6d

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
1KB

MD5
e738d4cd4d93e88ec4020173e68d8ee0

SHA1
7395631821011972628a180974346a003eab3785

SHA256
c1efd23c769e3df3cbe346d81ca02ac93cf94b228a80c5a948466b7278915ffa

SHA512
2d17ada49cba8ae7e9cbeb191b172f7543e02c7d9d5516a35a9edfbe0ccbd646e441b71661e9541becacd8d418355f0443621b93701355c7fc82f5e75963931a

Download Submit
C:\Windows\System32\LogFiles\setupcln\diagerr.xml

Filesize
11KB

MD5
16d8fbe8a75c53bb34296b896ed455a3

SHA1
20f1169f66bed03e1c1afed5d875c7dfae53233a

SHA256
de0122208f9082b7f6c8aeee0df5570aeaed405994162bd9ac3d1532a8a988de

SHA512
59cec9623a243cc23ebc1e66dbae4b9296cffc30bcfeb03f1b81e72ab75d94ed7a9f307e2e9332aa01c651e73a31fd9f01f3b6c0c27cbee70d13dc702d899bda

Download Submit
C:\Windows\System32\LogFiles\setupcln\diagwrn.xml

Filesize
9KB

MD5
692ca5ebc9e0cef0a8d0be4df7400cee

SHA1
f63dada2e5f7a1d786c93bc3d757642d93b24b59

SHA256
a378a154cfbf27b8471462c657f28a11fee70fd33593ac09ee216c642b26b3aa

SHA512
429b2eba8b421f3bae504ebe94da0ea9e662e5256d16301f46a4590f915b381cbc67b86c2beba391600b5f512412f1dcd9bdefc363b4c63dc7136022fa0f45bb

Download Submit
C:\Windows\System32\LogFiles\setupcln\setupact.log

Filesize
10KB

MD5
6c99f07230030cea280de333cb9db7c4

SHA1
998d32b1d63ecd41997253a583abd2e33cab16fd

SHA256
5d18320a8503bb39990e3a178ea65df7ca6615cfd399e0ff05608592ad52d30c

SHA512
5f5c0af31fa3b08c27995dc5a80c37b6b522101812663e00b39bd9a7ef6b54f94c281f9f159cbd939c17cde59e6faa4d4e21ab33f2da08f3ec51d713d1653140

Download Submit
memory/3196-398-0x0000000034DE0000-0x0000000034DF0000-memory.dmp

Filesize
64KB

Download
memory/5316-207-0x000000001D3D0000-0x000000001D3E0000-memory.dmp

Filesize
64KB

Download
memory/5316-229-0x00007FF4598F0000-0x00007FF459900000-memory.dmp

Filesize
64KB

Download
memory/5316-169-0x000000001D3D0000-0x000000001D3E0000-memory.dmp

Filesize
64KB

Download
memory/5316-175-0x00007FF4598F0000-0x00007FF459900000-memory.dmp

Filesize
64KB

Download
memory/5316-174-0x000000001D3D0000-0x000000001D3E0000-memory.dmp

Filesize
64KB

Download
memory/5316-171-0x000000001D3D0000-0x000000001D3E0000-memory.dmp

Filesize
64KB

Download
memory/5316-172-0x000000001D3D0000-0x000000001D3E0000-memory.dmp

Filesize
64KB

Download
memory/5316-168-0x000000001D3D0000-0x000000001D3E0000-memory.dmp

Filesize
64KB

Download
memory/5316-205-0x000000001D3D0000-0x000000001D3E0000-memory.dmp

Filesize
64KB

Download
memory/5316-206-0x000000001D3D0000-0x000000001D3E0000-memory.dmp

Filesize
64KB

Download
memory/5316-170-0x000000001D3D0000-0x000000001D3E0000-memory.dmp

Filesize
64KB

Download
memory/5316-208-0x000000001D3D0000-0x000000001D3E0000-memory.dmp

Filesize
64KB

Download
memory/5964-217-0x0000000001320000-0x0000000001330000-memory.dmp

Filesize
64KB

Download
memory/6660-237-0x000000001C980000-0x000000001C990000-memory.dmp

Filesize
64KB

Download
memory/6660-236-0x000000001C980000-0x000000001C990000-memory.dmp

Filesize
64KB

Download
memory/6660-238-0x000000001C980000-0x000000001C990000-memory.dmp

Filesize
64KB

Download
memory/6660-239-0x00007FF4D5BC0000-0x00007FF4D5BD0000-memory.dmp

Filesize
64KB

Download
memory/6764-248-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/6764-251-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/6764-250-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/6764-252-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/6764-246-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/6764-247-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/6764-242-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/6764-241-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/6764-240-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/6764-249-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads