f7f624d237f1d81858259c1783be9c7a605fe260b22092af064bc91035010fef

Analysis

max time kernel
60s
max time network
227s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
02/04/2025, 16:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Holzer.exe
Size

135KB
MD5

c971c68b4e58ccc82802b21ae8488bc7
SHA1

7305f3a0a0a0d489e0bcf664353289f61556de77
SHA256

cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce
SHA512

ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7
SSDEEP

3072:2EYGNIaWY/0kTKxIJXtJ0YCHiQtSetFITTTTTHvvvvvNKB:HN5TKvr9PuKB

Score

8^/10

bootkit defense_evasion discovery exploit persistence privilege_escalation

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Holzer.exe

Disables Task Manager via registry modification
defense_evasion

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
6980	icacls.exe
10800	takeown.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6980	icacls.exe
10800	takeown.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
9460	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Holzer.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setuperr.log	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagerr.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagwrn.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setupact.log	cleanmgr.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
7072	tasklist.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
11132	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
11008	runas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3052	3428	WerFault.exe	165
10724	9936	WerFault.exe	370
7164	10648	WerFault.exe	604
7164	1688	WerFault.exe	628

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkdsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	charmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkntfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	convert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ComputerDefaults.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	credwiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Holzer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auditpol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BackgroundTransferHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CertEnrollCtrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmmon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AtBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compact.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CredentialUIBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cliconfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdkey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CloudNotifications.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bthudtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CameraSettingsUIHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certreq.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
10216	PATHPING.EXE
9332	PING.EXE
10896	RpcPing.exe
10984	TRACERT.EXE

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
7612	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkntfs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	convert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3584	ipconfig.exe
9624	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
11180	systeminfo.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
6284	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-2#immutable1 = "Change default settings for CDs, DVDs, and devices so that you can automatically play music, view pictures, install software, and play games."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
9332	PING.EXE

Runs regedit.exe 2 IoCs

pid	Process
10220	regedit.exe
9240	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3456	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1848	Holzer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: 33	5832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5832	AUDIODG.EXE
Token: SeSystemtimePrivilege	1848	Holzer.exe
Token: SeSystemtimePrivilege	1848	Holzer.exe
Token: SeSystemtimePrivilege	1848	Holzer.exe
Token: SeSystemtimePrivilege	1848	Holzer.exe
Token: SeShutdownPrivilege	2940	svchost.exe
Token: SeShutdownPrivilege	2940	svchost.exe
Token: SeCreatePagefilePrivilege	2940	svchost.exe
Token: SeSecurityPrivilege	4996	auditpol.exe
Token: SeSystemtimePrivilege	1848	Holzer.exe
Token: SeBackupPrivilege	1260	vssvc.exe
Token: SeRestorePrivilege	1260	vssvc.exe
Token: SeAuditPrivilege	1260	vssvc.exe
Token: SeSystemtimePrivilege	1848	Holzer.exe
Token: SeSystemtimePrivilege	1848	Holzer.exe
Token: SeShutdownPrivilege	3456	explorer.exe
Token: SeCreatePagefilePrivilege	3456	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3456	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1976	Calculator.exe
1448	certreq.exe
2984	CloudNotifications.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2252	1848	Holzer.exe	85
PID 1848 wrote to memory of 2252	1848	Holzer.exe	85
PID 1848 wrote to memory of 2252	1848	Holzer.exe	85
PID 1848 wrote to memory of 1420	1848	Holzer.exe	86
PID 1848 wrote to memory of 1420	1848	Holzer.exe	86
PID 1848 wrote to memory of 1420	1848	Holzer.exe	86
PID 1848 wrote to memory of 128	1848	Holzer.exe	89
PID 1848 wrote to memory of 128	1848	Holzer.exe	89
PID 1848 wrote to memory of 128	1848	Holzer.exe	89
PID 1848 wrote to memory of 4740	1848	Holzer.exe	91
PID 1848 wrote to memory of 4740	1848	Holzer.exe	91
PID 1848 wrote to memory of 4740	1848	Holzer.exe	91
PID 1848 wrote to memory of 2952	1848	Holzer.exe	93
PID 1848 wrote to memory of 2952	1848	Holzer.exe	93
PID 1848 wrote to memory of 2952	1848	Holzer.exe	93
PID 1848 wrote to memory of 5696	1848	Holzer.exe	94
PID 1848 wrote to memory of 5696	1848	Holzer.exe	94
PID 1848 wrote to memory of 5696	1848	Holzer.exe	94
PID 1848 wrote to memory of 4996	1848	Holzer.exe	96
PID 1848 wrote to memory of 4996	1848	Holzer.exe	96
PID 1848 wrote to memory of 4996	1848	Holzer.exe	96
PID 1848 wrote to memory of 1992	1848	Holzer.exe	99
PID 1848 wrote to memory of 1992	1848	Holzer.exe	99
PID 1848 wrote to memory of 1992	1848	Holzer.exe	99
PID 1848 wrote to memory of 672	1848	Holzer.exe	100
PID 1848 wrote to memory of 672	1848	Holzer.exe	100
PID 1848 wrote to memory of 672	1848	Holzer.exe	100
PID 1848 wrote to memory of 2360	1848	Holzer.exe	101
PID 1848 wrote to memory of 2360	1848	Holzer.exe	101
PID 1848 wrote to memory of 2360	1848	Holzer.exe	101
PID 1848 wrote to memory of 1956	1848	Holzer.exe	103
PID 1848 wrote to memory of 1956	1848	Holzer.exe	103
PID 1848 wrote to memory of 1956	1848	Holzer.exe	103
PID 1848 wrote to memory of 2392	1848	Holzer.exe	105
PID 1848 wrote to memory of 2392	1848	Holzer.exe	105
PID 1848 wrote to memory of 2392	1848	Holzer.exe	105
PID 1848 wrote to memory of 4924	1848	Holzer.exe	107
PID 1848 wrote to memory of 4924	1848	Holzer.exe	107
PID 1848 wrote to memory of 4924	1848	Holzer.exe	107
PID 1848 wrote to memory of 852	1848	Holzer.exe	109
PID 1848 wrote to memory of 852	1848	Holzer.exe	109
PID 1848 wrote to memory of 852	1848	Holzer.exe	109
PID 1848 wrote to memory of 6116	1848	Holzer.exe	113
PID 1848 wrote to memory of 6116	1848	Holzer.exe	113
PID 1848 wrote to memory of 6116	1848	Holzer.exe	113
PID 1848 wrote to memory of 2780	1848	Holzer.exe	114
PID 1848 wrote to memory of 2780	1848	Holzer.exe	114
PID 1848 wrote to memory of 2780	1848	Holzer.exe	114
PID 1848 wrote to memory of 1448	1848	Holzer.exe	118
PID 1848 wrote to memory of 1448	1848	Holzer.exe	118
PID 1848 wrote to memory of 1448	1848	Holzer.exe	118
PID 1848 wrote to memory of 2520	1848	Holzer.exe	120
PID 1848 wrote to memory of 2520	1848	Holzer.exe	120
PID 1848 wrote to memory of 2520	1848	Holzer.exe	120
PID 1848 wrote to memory of 4724	1848	Holzer.exe	122
PID 1848 wrote to memory of 4724	1848	Holzer.exe	122
PID 1848 wrote to memory of 4724	1848	Holzer.exe	122
PID 1848 wrote to memory of 4176	1848	Holzer.exe	123
PID 1848 wrote to memory of 4176	1848	Holzer.exe	123
PID 1848 wrote to memory of 4176	1848	Holzer.exe	123
PID 1848 wrote to memory of 5052	1848	Holzer.exe	125
PID 1848 wrote to memory of 5052	1848	Holzer.exe	125
PID 1848 wrote to memory of 5052	1848	Holzer.exe	125
PID 1848 wrote to memory of 5680	1848	Holzer.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5696	attrib.exe
6808	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Holzer.exe
"C:\Users\Admin\AppData\Local\Temp\Holzer.exe"
1⤵
- Disables RegEdit via registry modification
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  "C:\Windows\System32\agentactivationruntimestarter.exe"
  2⤵
  PID:2252
- C:\Windows\SysWOW64\appidtel.exe
  "C:\Windows\System32\appidtel.exe"
  2⤵
  PID:1420
- C:\Windows\SysWOW64\ARP.EXE
  "C:\Windows\System32\ARP.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:128
- C:\Windows\SysWOW64\at.exe
  "C:\Windows\System32\at.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4740
- C:\Windows\SysWOW64\AtBroker.exe
  "C:\Windows\System32\AtBroker.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5696
- C:\Windows\SysWOW64\auditpol.exe
  "C:\Windows\System32\auditpol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\System32\autochk.exe"
  2⤵
  PID:3968
- C:\Windows\SysWOW64\backgroundTaskHost.exe
  "C:\Windows\System32\backgroundTaskHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1992
- C:\Windows\SysWOW64\BackgroundTransferHost.exe
  "C:\Windows\System32\BackgroundTransferHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:672
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Windows\SysWOW64\bthudtask.exe
  "C:\Windows\System32\bthudtask.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Windows\SysWOW64\ByteCodeGenerator.exe
  "C:\Windows\System32\ByteCodeGenerator.exe"
  2⤵
  PID:2392
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4924
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:852
- C:\Windows\SysWOW64\CameraSettingsUIHost.exe
  "C:\Windows\System32\CameraSettingsUIHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6116
- C:\Windows\SysWOW64\CertEnrollCtrl.exe
  "C:\Windows\System32\CertEnrollCtrl.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Windows\SysWOW64\certreq.exe
  "C:\Windows\System32\certreq.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1448
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe"
  2⤵
  - Manipulates Digital Signatures
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4724
- C:\Windows\SysWOW64\CheckNetIsolation.exe
  "C:\Windows\System32\CheckNetIsolation.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4176
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\System32\chkdsk.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:5052
- C:\Windows\SysWOW64\chkntfs.exe
  "C:\Windows\System32\chkntfs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:5680
- C:\Windows\SysWOW64\choice.exe
  "C:\Windows\System32\choice.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:884
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5148
- C:\Windows\SysWOW64\cleanmgr.exe
  "C:\Windows\System32\cleanmgr.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4572
- - C:\Windows\SysWOW64\cleanmgr.exe
    "C:\Windows\SysWOW64\cleanmgr.exe"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:5048
  - - C:\Windows\SysWOW64\cleanmgr.exe
      "C:\Windows\SysWOW64\cleanmgr.exe"
      4⤵
      PID:7532
- C:\Windows\SysWOW64\cliconfg.exe
  "C:\Windows\System32\cliconfg.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5180
- C:\Windows\SysWOW64\clip.exe
  "C:\Windows\System32\clip.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3428
- C:\Windows\SysWOW64\CloudNotifications.exe
  "C:\Windows\System32\CloudNotifications.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:400
- C:\Windows\SysWOW64\cmdkey.exe
  "C:\Windows\System32\cmdkey.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4568
- C:\Windows\SysWOW64\cmdl32.exe
  "C:\Windows\System32\cmdl32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6032
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\System32\cmmon32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\System32\cmstp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4428
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\System32\colorcpl.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4780
- C:\Windows\SysWOW64\comp.exe
  "C:\Windows\System32\comp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Windows\SysWOW64\compact.exe
  "C:\Windows\System32\compact.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Windows\SysWOW64\ComputerDefaults.exe
  "C:\Windows\System32\ComputerDefaults.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5912
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2228
- C:\Windows\SysWOW64\convert.exe
  "C:\Windows\System32\convert.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:3200
- C:\Windows\SysWOW64\CredentialUIBroker.exe
  "C:\Windows\System32\CredentialUIBroker.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5500
- C:\Windows\SysWOW64\credwiz.exe
  "C:\Windows\System32\credwiz.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5948
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024
- C:\Windows\SysWOW64\ctfmon.exe
  "C:\Windows\System32\ctfmon.exe"
  2⤵
  PID:3428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 728
    3⤵
    - Program crash
    PID:3052
- C:\Windows\SysWOW64\cttune.exe
  "C:\Windows\System32\cttune.exe"
  2⤵
  PID:5468
- C:\Windows\SysWOW64\cttunesvr.exe
  "C:\Windows\System32\cttunesvr.exe"
  2⤵
  PID:5824
- C:\Windows\SysWOW64\curl.exe
  "C:\Windows\System32\curl.exe"
  2⤵
  PID:4008
- C:\Windows\SysWOW64\dccw.exe
  "C:\Windows\System32\dccw.exe"
  2⤵
  PID:1060
- C:\Windows\SysWOW64\dcomcnfg.exe
  "C:\Windows\System32\dcomcnfg.exe"
  2⤵
  PID:4980
- - C:\Windows\system32\mmc.exe
    C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
    3⤵
    PID:5464
- C:\Windows\SysWOW64\ddodiag.exe
  "C:\Windows\System32\ddodiag.exe"
  2⤵
  PID:4784
- C:\Windows\SysWOW64\DevicePairingWizard.exe
  "C:\Windows\System32\DevicePairingWizard.exe"
  2⤵
  PID:404
- C:\Windows\SysWOW64\dfrgui.exe
  "C:\Windows\System32\dfrgui.exe"
  2⤵
  PID:5700
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\System32\dialer.exe"
  2⤵
  PID:1200
- C:\Windows\SysWOW64\diskpart.exe
  "C:\Windows\System32\diskpart.exe"
  2⤵
  PID:6244
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\System32\diskperf.exe"
  2⤵
  PID:6420
- C:\Windows\SysWOW64\diskusage.exe
  "C:\Windows\System32\diskusage.exe"
  2⤵
  PID:6528
- C:\Windows\SysWOW64\Dism.exe
  "C:\Windows\System32\Dism.exe"
  2⤵
  PID:6596
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:6712
- C:\Windows\SysWOW64\dllhst3g.exe
  "C:\Windows\System32\dllhst3g.exe"
  2⤵
  PID:6892
- C:\Windows\SysWOW64\doskey.exe
  "C:\Windows\System32\doskey.exe"
  2⤵
  PID:6928
- C:\Windows\SysWOW64\dpapimig.exe
  "C:\Windows\System32\dpapimig.exe"
  2⤵
  PID:6972
- C:\Windows\SysWOW64\DpiScaling.exe
  "C:\Windows\System32\DpiScaling.exe"
  2⤵
  PID:6996
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" ms-settings:display
    3⤵
    PID:7028
- C:\Windows\SysWOW64\driverquery.exe
  "C:\Windows\System32\driverquery.exe"
  2⤵
  PID:6448
- C:\Windows\SysWOW64\dtdump.exe
  "C:\Windows\System32\dtdump.exe"
  2⤵
  PID:6640
- C:\Windows\SysWOW64\dvdplay.exe
  "C:\Windows\System32\dvdplay.exe"
  2⤵
  PID:6716
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    /device:dvd
    3⤵
    PID:6704
  - - C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      4⤵
      PID:6872
    - - C:\Windows\system32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        5⤵
        
        PID:5168
- C:\Windows\SysWOW64\DWWIN.EXE
  "C:\Windows\System32\DWWIN.EXE"
  2⤵
  PID:6956
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  PID:6712
- C:\Windows\SysWOW64\EaseOfAccessDialog.exe
  "C:\Windows\System32\EaseOfAccessDialog.exe"
  2⤵
  PID:6956
- C:\Windows\SysWOW64\edpnotify.exe
  "C:\Windows\System32\edpnotify.exe"
  2⤵
  PID:6432
- C:\Windows\SysWOW64\efsui.exe
  "C:\Windows\System32\efsui.exe"
  2⤵
  PID:6640
- C:\Windows\SysWOW64\EhStorAuthn.exe
  "C:\Windows\System32\EhStorAuthn.exe"
  2⤵
  PID:6612
- C:\Windows\SysWOW64\esentutl.exe
  "C:\Windows\System32\esentutl.exe"
  2⤵
  PID:6628
- C:\Windows\SysWOW64\eudcedit.exe
  "C:\Windows\System32\eudcedit.exe"
  2⤵
  PID:7108
- C:\Windows\SysWOW64\eventcreate.exe
  "C:\Windows\System32\eventcreate.exe"
  2⤵
  PID:5916
- C:\Windows\SysWOW64\eventvwr.exe
  "C:\Windows\System32\eventvwr.exe"
  2⤵
  PID:4860
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
    3⤵
    PID:6924
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
      4⤵
      PID:7060
- C:\Windows\SysWOW64\expand.exe
  "C:\Windows\System32\expand.exe"
  2⤵
  PID:6428
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe"
  2⤵
  PID:4800
- C:\Windows\SysWOW64\extrac32.exe
  "C:\Windows\System32\extrac32.exe"
  2⤵
  PID:7004
- C:\Windows\SysWOW64\fc.exe
  "C:\Windows\System32\fc.exe"
  2⤵
  PID:4592
- C:\Windows\SysWOW64\find.exe
  "C:\Windows\System32\find.exe"
  2⤵
  PID:4944
- C:\Windows\SysWOW64\findstr.exe
  "C:\Windows\System32\findstr.exe"
  2⤵
  PID:7228
- C:\Windows\SysWOW64\finger.exe
  "C:\Windows\System32\finger.exe"
  2⤵
  PID:7324
- C:\Windows\SysWOW64\fixmapi.exe
  "C:\Windows\System32\fixmapi.exe"
  2⤵
  PID:7392
- C:\Windows\SysWOW64\fltMC.exe
  "C:\Windows\System32\fltMC.exe"
  2⤵
  PID:7412
- C:\Windows\SysWOW64\Fondue.exe
  "C:\Windows\System32\Fondue.exe"
  2⤵
  PID:7456
- C:\Windows\SysWOW64\fontview.exe
  "C:\Windows\System32\fontview.exe"
  2⤵
  PID:7500
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe"
  2⤵
  PID:7564
- - C:\Windows\SysWOW64\cmd.exe
    /c echo "3819280329"
    3⤵
    PID:7632
- C:\Windows\SysWOW64\fsquirt.exe
  "C:\Windows\System32\fsquirt.exe"
  2⤵
  PID:7648
- C:\Windows\SysWOW64\fsutil.exe
  "C:\Windows\System32\fsutil.exe"
  2⤵
  PID:7676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument ftp://ftp.exe/
  2⤵
  PID:7744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x308,0x7ffef4d2f208,0x7ffef4d2f214,0x7ffef4d2f220
    3⤵
    PID:7776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1792,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:11
    3⤵
    PID:8028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2600,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=2584 /prefetch:2
    3⤵
    PID:8040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2096,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=2736 /prefetch:13
    3⤵
    PID:8048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
    3⤵
    PID:2024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3448,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
    3⤵
    PID:6352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=732,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:14
    3⤵
    PID:9080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5100,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:14
    3⤵
    PID:4664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5012,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=5196 /prefetch:14
    3⤵
    PID:9048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3152,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:14
    3⤵
    PID:8060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=884,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:14
    3⤵
    PID:2952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5268,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:14
    3⤵
    PID:9756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2012,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:14
    3⤵
    PID:7512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5464,i,10514083855125790901,908891824474285878,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:10
    3⤵
    PID:2720
- C:\Windows\SysWOW64\GameBarPresenceWriter.exe
  "C:\Windows\System32\GameBarPresenceWriter.exe"
  2⤵
  PID:7876
- C:\Windows\SysWOW64\GamePanel.exe
  "C:\Windows\System32\GamePanel.exe"
  2⤵
  PID:7048
- C:\Windows\SysWOW64\getmac.exe
  "C:\Windows\System32\getmac.exe"
  2⤵
  PID:7392
- C:\Windows\SysWOW64\gpresult.exe
  "C:\Windows\System32\gpresult.exe"
  2⤵
  PID:7696
- C:\Windows\SysWOW64\gpscript.exe
  "C:\Windows\System32\gpscript.exe"
  2⤵
  PID:7180
- C:\Windows\SysWOW64\gpupdate.exe
  "C:\Windows\System32\gpupdate.exe"
  2⤵
  PID:5032
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe"
  2⤵
  PID:7492
- C:\Windows\SysWOW64\hdwwiz.exe
  "C:\Windows\System32\hdwwiz.exe"
  2⤵
  PID:7824
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\System32\help.exe"
  2⤵
  PID:8020
- C:\Windows\SysWOW64\hh.exe
  "C:\Windows\System32\hh.exe"
  2⤵
  PID:8164
- C:\Windows\SysWOW64\HOSTNAME.EXE
  "C:\Windows\System32\HOSTNAME.EXE"
  2⤵
  PID:2112
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\System32\icacls.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:6980
- C:\Windows\SysWOW64\icsunattend.exe
  "C:\Windows\System32\icsunattend.exe"
  2⤵
  PID:3584
- C:\Windows\SysWOW64\ieUnatt.exe
  "C:\Windows\System32\ieUnatt.exe"
  2⤵
  PID:8060
- C:\Windows\SysWOW64\iexpress.exe
  "C:\Windows\System32\iexpress.exe"
  2⤵
  PID:5116
- C:\Windows\SysWOW64\InfDefaultInstall.exe
  "C:\Windows\System32\InfDefaultInstall.exe"
  2⤵
  PID:5060
- C:\Windows\SysWOW64\InputSwitchToastHandler.exe
  "C:\Windows\System32\InputSwitchToastHandler.exe"
  2⤵
  PID:7492
- C:\Windows\SysWOW64\instnm.exe
  "C:\Windows\System32\instnm.exe"
  2⤵
  PID:3060
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe"
  2⤵
  - Gathers network information
  PID:3584
- C:\Windows\SysWOW64\iscsicli.exe
  "C:\Windows\System32\iscsicli.exe"
  2⤵
  PID:1560
- C:\Windows\SysWOW64\iscsicpl.exe
  "C:\Windows\System32\iscsicpl.exe"
  2⤵
  PID:5508
- - C:\Windows\system32\RunDll32.exe
    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL iscsicpl.dll,,0
    3⤵
    PID:3060
- C:\Windows\SysWOW64\isoburn.exe
  "C:\Windows\System32\isoburn.exe"
  2⤵
  PID:6972
- C:\Windows\SysWOW64\ktmutil.exe
  "C:\Windows\System32\ktmutil.exe"
  2⤵
  PID:4212
- C:\Windows\SysWOW64\label.exe
  "C:\Windows\System32\label.exe"
  2⤵
  PID:4304
- C:\Windows\SysWOW64\LaunchTM.exe
  "C:\Windows\System32\LaunchTM.exe"
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    PID:4296
- C:\Windows\SysWOW64\LaunchWinApp.exe
  "C:\Windows\System32\LaunchWinApp.exe"
  2⤵
  PID:1560
- C:\Windows\SysWOW64\lodctr.exe
  "C:\Windows\System32\lodctr.exe"
  2⤵
  PID:5152
- C:\Windows\SysWOW64\logagent.exe
  "C:\Windows\System32\logagent.exe"
  2⤵
  PID:724
- C:\Windows\SysWOW64\logman.exe
  "C:\Windows\System32\logman.exe"
  2⤵
  PID:3584
- C:\Windows\SysWOW64\Magnify.exe
  "C:\Windows\System32\Magnify.exe"
  2⤵
  PID:8220
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  PID:8348
- C:\Windows\SysWOW64\mavinject.exe
  "C:\Windows\System32\mavinject.exe"
  2⤵
  PID:8536
- C:\Windows\SysWOW64\mcbuilder.exe
  "C:\Windows\System32\mcbuilder.exe"
  2⤵
  PID:8748
- C:\Windows\SysWOW64\mfpmp.exe
  "C:\Windows\System32\mfpmp.exe"
  2⤵
  PID:8956
- C:\Windows\SysWOW64\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  PID:9208
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe"
    3⤵
    PID:8436
- C:\Windows\SysWOW64\mmgaserver.exe
  "C:\Windows\System32\mmgaserver.exe"
  2⤵
  PID:8832
- C:\Windows\SysWOW64\mobsync.exe
  "C:\Windows\System32\mobsync.exe"
  2⤵
  PID:8880
- C:\Windows\SysWOW64\mountvol.exe
  "C:\Windows\System32\mountvol.exe"
  2⤵
  PID:3584
- C:\Windows\SysWOW64\MRINFO.EXE
  "C:\Windows\System32\MRINFO.EXE"
  2⤵
  PID:8464
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\System32\msdt.exe"
  2⤵
  PID:8768
- C:\Windows\SysWOW64\msfeedssync.exe
  "C:\Windows\System32\msfeedssync.exe"
  2⤵
  PID:5340
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe"
  2⤵
  PID:8212
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe"
  2⤵
  PID:8456
- C:\Windows\SysWOW64\msinfo32.exe
  "C:\Windows\System32\msinfo32.exe"
  2⤵
  PID:7792
- C:\Windows\SysWOW64\msra.exe
  "C:\Windows\System32\msra.exe"
  2⤵
  PID:5952
- - C:\Windows\system32\msra.exe
    "C:\Windows\system32\msra.exe"
    3⤵
    PID:1056
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\System32\mstsc.exe"
  2⤵
  PID:8440
- - C:\Windows\system32\mstsc.exe
    "C:\Windows\System32\mstsc.exe"
    3⤵
    PID:8212
- C:\Windows\SysWOW64\mtstocom.exe
  "C:\Windows\System32\mtstocom.exe"
  2⤵
  PID:8476
- C:\Windows\SysWOW64\MuiUnattend.exe
  "C:\Windows\System32\MuiUnattend.exe"
  2⤵
  PID:2352
- C:\Windows\SysWOW64\ndadmin.exe
  "C:\Windows\System32\ndadmin.exe"
  2⤵
  PID:8620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe"
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1
    3⤵
    PID:8440
- C:\Windows\SysWOW64\net1.exe
  "C:\Windows\System32\net1.exe"
  2⤵
  PID:9248
- C:\Windows\SysWOW64\netbtugc.exe
  "C:\Windows\System32\netbtugc.exe"
  2⤵
  PID:9308
- C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe
  "C:\Windows\System32\NetCfgNotifyObjectHost.exe"
  2⤵
  PID:9400
- C:\Windows\SysWOW64\netiougc.exe
  "C:\Windows\System32\netiougc.exe"
  2⤵
  PID:9420
- C:\Windows\SysWOW64\Netplwiz.exe
  "C:\Windows\System32\Netplwiz.exe"
  2⤵
  PID:9512
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe"
  2⤵
  PID:9556
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\System32\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:9624
- C:\Windows\SysWOW64\newdev.exe
  "C:\Windows\System32\newdev.exe"
  2⤵
  PID:9684
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9696
- C:\Windows\SysWOW64\nslookup.exe
  "C:\Windows\System32\nslookup.exe"
  2⤵
  PID:9744
- C:\Windows\SysWOW64\ntprint.exe
  "C:\Windows\System32\ntprint.exe"
  2⤵
  PID:9820
- C:\Windows\SysWOW64\odbcad32.exe
  "C:\Windows\System32\odbcad32.exe"
  2⤵
  PID:9832
- C:\Windows\SysWOW64\odbcconf.exe
  "C:\Windows\System32\odbcconf.exe"
  2⤵
  PID:9896
- C:\Windows\SysWOW64\OneDriveSetup.exe
  "C:\Windows\System32\OneDriveSetup.exe"
  2⤵
  PID:9936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9936 -s 1528
    3⤵
    - Program crash
    PID:10724
- C:\Windows\SysWOW64\openfiles.exe
  "C:\Windows\System32\openfiles.exe"
  2⤵
  PID:10072
- C:\Windows\SysWOW64\OpenWith.exe
  "C:\Windows\System32\OpenWith.exe"
  2⤵
  PID:10140
- C:\Windows\SysWOW64\OposHost.exe
  "C:\Windows\System32\OposHost.exe"
  2⤵
  PID:10156
- C:\Windows\SysWOW64\PackagedCWALauncher.exe
  "C:\Windows\System32\PackagedCWALauncher.exe"
  2⤵
  PID:10184
- C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe
  "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
  2⤵
  PID:10200
- C:\Windows\SysWOW64\PATHPING.EXE
  "C:\Windows\System32\PATHPING.EXE"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10216
- C:\Windows\SysWOW64\pcaui.exe
  "C:\Windows\System32\pcaui.exe"
  2⤵
  PID:4856
- C:\Windows\SysWOW64\perfhost.exe
  "C:\Windows\System32\perfhost.exe"
  2⤵
  PID:9232
- C:\Windows\SysWOW64\perfmon.exe
  "C:\Windows\System32\perfmon.exe"
  2⤵
  PID:7720
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /32
    3⤵
    PID:7260
- C:\Windows\SysWOW64\PickerHost.exe
  "C:\Windows\System32\PickerHost.exe"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:9332
- C:\Windows\SysWOW64\PkgMgr.exe
  "C:\Windows\System32\PkgMgr.exe"
  2⤵
  PID:9440
- C:\Windows\SysWOW64\poqexec.exe
  "C:\Windows\System32\poqexec.exe"
  2⤵
  PID:9448
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe"
  2⤵
  - Power Settings
  PID:9460
- C:\Windows\SysWOW64\PresentationHost.exe
  "C:\Windows\System32\PresentationHost.exe"
  2⤵
  PID:9484
- C:\Windows\SysWOW64\prevhost.exe
  "C:\Windows\System32\prevhost.exe"
  2⤵
  PID:9148
- C:\Windows\SysWOW64\print.exe
  "C:\Windows\System32\print.exe"
  2⤵
  PID:9120
- C:\Windows\SysWOW64\printui.exe
  "C:\Windows\System32\printui.exe"
  2⤵
  PID:6828
- C:\Windows\SysWOW64\proquota.exe
  "C:\Windows\System32\proquota.exe"
  2⤵
  PID:6792
- C:\Windows\SysWOW64\provlaunch.exe
  "C:\Windows\System32\provlaunch.exe"
  2⤵
  PID:6844
- C:\Windows\SysWOW64\psr.exe
  "C:\Windows\System32\psr.exe"
  2⤵
  PID:9948
- - C:\Windows\system32\psr.exe
    "C:\Windows\system32\psr.exe"
    3⤵
    PID:10072
- C:\Windows\SysWOW64\quickassist.exe
  "C:\Windows\System32\quickassist.exe"
  2⤵
  PID:10188
- C:\Windows\SysWOW64\rasautou.exe
  "C:\Windows\System32\rasautou.exe"
  2⤵
  PID:9228
- C:\Windows\SysWOW64\rasdial.exe
  "C:\Windows\System32\rasdial.exe"
  2⤵
  PID:6540
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\System32\raserver.exe"
  2⤵
  PID:7436
- C:\Windows\SysWOW64\rasphone.exe
  "C:\Windows\System32\rasphone.exe"
  2⤵
  PID:6304
- C:\Windows\SysWOW64\RdpSa.exe
  "C:\Windows\System32\RdpSa.exe"
  2⤵
  PID:10104
- C:\Windows\SysWOW64\RdpSaProxy.exe
  "C:\Windows\System32\RdpSaProxy.exe"
  2⤵
  PID:7460
- - C:\Windows\SysWOW64\RdpSa.exe
    "C:\Windows\system32\RdpSa.exe"
    3⤵
    PID:9236
- C:\Windows\SysWOW64\RdpSaUacHelper.exe
  "C:\Windows\System32\RdpSaUacHelper.exe"
  2⤵
  PID:10220
- C:\Windows\SysWOW64\rdrleakdiag.exe
  "C:\Windows\System32\rdrleakdiag.exe"
  2⤵
  PID:9340
- C:\Windows\SysWOW64\ReAgentc.exe
  "C:\Windows\System32\ReAgentc.exe"
  2⤵
  PID:9188
- C:\Windows\SysWOW64\recover.exe
  "C:\Windows\System32\recover.exe"
  2⤵
  PID:6888
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe"
  2⤵
  PID:7640
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe"
  2⤵
  - Runs regedit.exe
  PID:10220
- C:\Windows\SysWOW64\regedt32.exe
  "C:\Windows\System32\regedt32.exe"
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:9240
- C:\Windows\SysWOW64\regini.exe
  "C:\Windows\System32\regini.exe"
  2⤵
  PID:9232
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1132
- C:\Windows\SysWOW64\Register-CimProvider.exe
  "C:\Windows\System32\Register-CimProvider.exe"
  2⤵
  PID:7008
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe"
  2⤵
  PID:10216
- C:\Windows\SysWOW64\rekeywiz.exe
  "C:\Windows\System32\rekeywiz.exe"
  2⤵
  PID:9132
- C:\Windows\SysWOW64\relog.exe
  "C:\Windows\System32\relog.exe"
  2⤵
  PID:8892
- C:\Windows\SysWOW64\replace.exe
  "C:\Windows\System32\replace.exe"
  2⤵
  PID:9080
- C:\Windows\SysWOW64\resmon.exe
  "C:\Windows\System32\resmon.exe"
  2⤵
  PID:7888
- - C:\Windows\SysWOW64\perfmon.exe
    "C:\Windows\System32\perfmon.exe" /res
    3⤵
    PID:10148
  - - C:\Windows\system32\perfmon.exe
      "C:\Windows\Sysnative\perfmon.exe" /res
      4⤵
      PID:10156
- C:\Windows\SysWOW64\RMActivate.exe
  "C:\Windows\System32\RMActivate.exe"
  2⤵
  PID:9232
- C:\Windows\SysWOW64\RMActivate_isv.exe
  "C:\Windows\System32\RMActivate_isv.exe"
  2⤵
  PID:7008
- C:\Windows\SysWOW64\RMActivate_ssp.exe
  "C:\Windows\System32\RMActivate_ssp.exe"
  2⤵
  PID:7988
- C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
  "C:\Windows\System32\RMActivate_ssp_isv.exe"
  2⤵
  PID:10384
- C:\Windows\SysWOW64\RmClient.exe
  "C:\Windows\System32\RmClient.exe"
  2⤵
  PID:10520
- C:\Windows\SysWOW64\Robocopy.exe
  "C:\Windows\System32\Robocopy.exe"
  2⤵
  PID:10652
- C:\Windows\SysWOW64\ROUTE.EXE
  "C:\Windows\System32\ROUTE.EXE"
  2⤵
  PID:10816
- C:\Windows\SysWOW64\RpcPing.exe
  "C:\Windows\System32\RpcPing.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10896
- C:\Windows\SysWOW64\rrinstaller.exe
  "C:\Windows\System32\rrinstaller.exe"
  2⤵
  PID:10988
- C:\Windows\SysWOW64\runas.exe
  "C:\Windows\System32\runas.exe"
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:11008
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe"
  2⤵
  PID:11076
- C:\Windows\SysWOW64\RunLegacyCPLElevated.exe
  "C:\Windows\System32\RunLegacyCPLElevated.exe"
  2⤵
  PID:11088
- C:\Windows\SysWOW64\runonce.exe
  "C:\Windows\System32\runonce.exe"
  2⤵
  PID:11100
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe"
  2⤵
  - Launches sc.exe
  PID:11132
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe"
  2⤵
  PID:11176
- C:\Windows\SysWOW64\sdbinst.exe
  "C:\Windows\System32\sdbinst.exe"
  2⤵
  PID:11220
- C:\Windows\SysWOW64\sdchange.exe
  "C:\Windows\System32\sdchange.exe"
  2⤵
  PID:4208
- C:\Windows\SysWOW64\sdiagnhost.exe
  "C:\Windows\System32\sdiagnhost.exe"
  2⤵
  PID:10304
- C:\Windows\SysWOW64\SearchFilterHost.exe
  "C:\Windows\System32\SearchFilterHost.exe"
  2⤵
  PID:1384
- C:\Windows\SysWOW64\SearchIndexer.exe
  "C:\Windows\System32\SearchIndexer.exe"
  2⤵
  PID:4652
- C:\Windows\SysWOW64\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe"
  2⤵
  PID:10532
- C:\Windows\SysWOW64\SecEdit.exe
  "C:\Windows\System32\SecEdit.exe"
  2⤵
  PID:10536
- C:\Windows\SysWOW64\secinit.exe
  "C:\Windows\System32\secinit.exe"
  2⤵
  PID:7412
- C:\Windows\SysWOW64\sethc.exe
  "C:\Windows\System32\sethc.exe"
  2⤵
  PID:10340
- C:\Windows\SysWOW64\setup16.exe
  "C:\Windows\System32\setup16.exe"
  2⤵
  PID:10620
- C:\Windows\SysWOW64\setupugc.exe
  "C:\Windows\System32\setupugc.exe"
  2⤵
  PID:10392
- C:\Windows\SysWOW64\setx.exe
  "C:\Windows\System32\setx.exe"
  2⤵
  PID:10712
- C:\Windows\SysWOW64\sfc.exe
  "C:\Windows\System32\sfc.exe"
  2⤵
  PID:9080
- C:\Windows\SysWOW64\shrpubw.exe
  "C:\Windows\System32\shrpubw.exe"
  2⤵
  PID:10456
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe"
  2⤵
  PID:10780
- C:\Windows\SysWOW64\SndVol.exe
  "C:\Windows\System32\SndVol.exe"
  2⤵
  PID:10844
- C:\Windows\SysWOW64\sort.exe
  "C:\Windows\System32\sort.exe"
  2⤵
  PID:9940
- C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe
  "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
  2⤵
  PID:10880
- C:\Windows\SysWOW64\srdelayed.exe
  "C:\Windows\System32\srdelayed.exe"
  2⤵
  PID:10824
- C:\Windows\SysWOW64\stordiag.exe
  "C:\Windows\System32\stordiag.exe"
  2⤵
  PID:10784
- - C:\Windows\SysWOW64\fltmc.exe
    "fltmc.exe" volumes
    3⤵
    PID:9972
- - C:\Windows\SysWOW64\fltmc.exe
    "fltmc.exe" instances
    3⤵
    PID:6212
- - C:\Windows\SysWOW64\fltmc.exe
    "fltmc.exe" filters
    3⤵
    PID:10896
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /query /xml /tn Microsoft\Windows\Defrag\ScheduledDefrag
    3⤵
    PID:5024
- C:\Windows\SysWOW64\subst.exe
  "C:\Windows\System32\subst.exe"
  2⤵
  PID:10960
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:11048
- C:\Windows\SysWOW64\sxstrace.exe
  "C:\Windows\System32\sxstrace.exe"
  2⤵
  PID:1724
- C:\Windows\SysWOW64\SyncHost.exe
  "C:\Windows\System32\SyncHost.exe"
  2⤵
  PID:11148
- C:\Windows\SysWOW64\systeminfo.exe
  "C:\Windows\System32\systeminfo.exe"
  2⤵
  - Gathers system information
  PID:11180
- C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
  "C:\Windows\System32\SystemPropertiesAdvanced.exe"
  2⤵
  PID:11252
- C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
  "C:\Windows\System32\SystemPropertiesComputerName.exe"
  2⤵
  PID:10408
- C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
  "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:8276
- C:\Windows\SysWOW64\SystemPropertiesHardware.exe
  "C:\Windows\System32\SystemPropertiesHardware.exe"
  2⤵
  PID:10524
- C:\Windows\SysWOW64\SystemPropertiesPerformance.exe
  "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4316
- C:\Windows\SysWOW64\SystemPropertiesProtection.exe
  "C:\Windows\System32\SystemPropertiesProtection.exe"
  2⤵
  PID:10528
- C:\Windows\SysWOW64\SystemPropertiesRemote.exe
  "C:\Windows\System32\SystemPropertiesRemote.exe"
  2⤵
  PID:2484
- C:\Windows\SysWOW64\SystemUWPLauncher.exe
  "C:\Windows\System32\SystemUWPLauncher.exe"
  2⤵
  PID:10344
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\System32\systray.exe"
  2⤵
  PID:9668
- C:\Windows\SysWOW64\takeown.exe
  "C:\Windows\System32\takeown.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:10800
- C:\Windows\SysWOW64\TapiUnattend.exe
  "C:\Windows\System32\TapiUnattend.exe"
  2⤵
  PID:1684
- C:\Windows\SysWOW64\tar.exe
  "C:\Windows\System32\tar.exe"
  2⤵
  PID:6044
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe"
  2⤵
  - Kills process with taskkill
  PID:6284
- C:\Windows\SysWOW64\tasklist.exe
  "C:\Windows\System32\tasklist.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:7072
- C:\Windows\SysWOW64\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe"
  2⤵
  PID:7428
- C:\Windows\SysWOW64\tcmsetup.exe
  "C:\Windows\System32\tcmsetup.exe"
  2⤵
  PID:6944
- C:\Windows\SysWOW64\TCPSVCS.EXE
  "C:\Windows\System32\TCPSVCS.EXE"
  2⤵
  PID:10412
- C:\Windows\SysWOW64\ThumbnailExtractionHost.exe
  "C:\Windows\System32\ThumbnailExtractionHost.exe"
  2⤵
  PID:10484
- C:\Windows\SysWOW64\timeout.exe
  "C:\Windows\System32\timeout.exe"
  2⤵
  - Delays execution with timeout.exe
  PID:7612
- C:\Windows\SysWOW64\TokenBrokerCookies.exe
  "C:\Windows\System32\TokenBrokerCookies.exe"
  2⤵
  PID:7724
- C:\Windows\SysWOW64\TpmInit.exe
  "C:\Windows\System32\TpmInit.exe"
  2⤵
  PID:10752
- C:\Windows\SysWOW64\TpmTool.exe
  "C:\Windows\System32\TpmTool.exe"
  2⤵
  PID:5124
- C:\Windows\SysWOW64\tracerpt.exe
  "C:\Windows\System32\tracerpt.exe"
  2⤵
  PID:10768
- C:\Windows\SysWOW64\TRACERT.EXE
  "C:\Windows\System32\TRACERT.EXE"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10984
- C:\Windows\SysWOW64\TSTheme.exe
  "C:\Windows\System32\TSTheme.exe"
  2⤵
  PID:6284
- C:\Windows\SysWOW64\TsWpfWrp.exe
  "C:\Windows\System32\TsWpfWrp.exe"
  2⤵
  PID:10772
- C:\Windows\SysWOW64\ttdinject.exe
  "C:\Windows\System32\ttdinject.exe"
  2⤵
  PID:10424
- C:\Windows\SysWOW64\tttracer.exe
  "C:\Windows\System32\tttracer.exe"
  2⤵
  PID:5444
- C:\Windows\SysWOW64\typeperf.exe
  "C:\Windows\System32\typeperf.exe"
  2⤵
  PID:7044
- C:\Windows\SysWOW64\tzutil.exe
  "C:\Windows\System32\tzutil.exe"
  2⤵
  PID:8160
- C:\Windows\SysWOW64\unlodctr.exe
  "C:\Windows\System32\unlodctr.exe"
  2⤵
  PID:10448
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe"
  2⤵
  PID:8932
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /REENTRANT
    3⤵
    PID:2964
- C:\Windows\SysWOW64\upnpcont.exe
  "C:\Windows\System32\upnpcont.exe"
  2⤵
  PID:7576
- C:\Windows\SysWOW64\user.exe
  "C:\Windows\System32\user.exe"
  2⤵
  PID:1980
- C:\Windows\SysWOW64\UserAccountBroker.exe
  "C:\Windows\System32\UserAccountBroker.exe"
  2⤵
  PID:5348
- C:\Windows\SysWOW64\UserAccountControlSettings.exe
  "C:\Windows\System32\UserAccountControlSettings.exe"
  2⤵
  PID:4012
- C:\Windows\SysWOW64\userinit.exe
  "C:\Windows\System32\userinit.exe"
  2⤵
  PID:4580
- - C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    3⤵
    PID:3460
- C:\Windows\SysWOW64\Utilman.exe
  "C:\Windows\System32\Utilman.exe"
  2⤵
  PID:4560
- C:\Windows\SysWOW64\verclsid.exe
  "C:\Windows\System32\verclsid.exe"
  2⤵
  PID:3480
- C:\Windows\SysWOW64\verifiergui.exe
  "C:\Windows\System32\verifiergui.exe"
  2⤵
  PID:3156
- C:\Windows\SysWOW64\w32tm.exe
  "C:\Windows\System32\w32tm.exe"
  2⤵
  PID:8480
- - C:\Windows\system32\w32tm.exe
    "C:\Windows\System32\w32tm.exe"
    3⤵
    PID:10768
- C:\Windows\SysWOW64\waitfor.exe
  "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:196
- C:\Windows\SysWOW64\wecutil.exe
  "C:\Windows\System32\wecutil.exe"
  2⤵
  PID:11132
- C:\Windows\SysWOW64\WerFault.exe
  "C:\Windows\System32\WerFault.exe"
  2⤵
  PID:8380
- C:\Windows\SysWOW64\WerFaultSecure.exe
  "C:\Windows\System32\WerFaultSecure.exe"
  2⤵
  PID:1348
- C:\Windows\SysWOW64\wermgr.exe
  "C:\Windows\System32\wermgr.exe"
  2⤵
  PID:4640
- C:\Windows\SysWOW64\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe"
  2⤵
  PID:8856
- C:\Windows\SysWOW64\wextract.exe
  "C:\Windows\System32\wextract.exe"
  2⤵
  PID:5312
- C:\Windows\SysWOW64\where.exe
  "C:\Windows\System32\where.exe"
  2⤵
  PID:3744
- C:\Windows\SysWOW64\whoami.exe
  "C:\Windows\System32\whoami.exe"
  2⤵
  PID:11216
- C:\Windows\SysWOW64\wiaacmgr.exe
  "C:\Windows\System32\wiaacmgr.exe"
  2⤵
  PID:3952
- C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe
  "C:\Windows\System32\Windows.Media.BackgroundPlayback.exe"
  2⤵
  PID:1980
- C:\Windows\SysWOW64\Windows.WARP.JITService.exe
  "C:\Windows\System32\Windows.WARP.JITService.exe"
  2⤵
  PID:10648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10648 -s 208
    3⤵
    - Program crash
    PID:7164
- C:\Windows\SysWOW64\winrs.exe
  "C:\Windows\System32\winrs.exe"
  2⤵
  PID:8316
- C:\Windows\SysWOW64\winrshost.exe
  "C:\Windows\System32\winrshost.exe"
  2⤵
  PID:6112
- C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe
  "C:\Windows\System32\WinRTNetMUAHostServer.exe"
  2⤵
  PID:10896
- C:\Windows\SysWOW64\winver.exe
  "C:\Windows\System32\winver.exe"
  2⤵
  PID:7320
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\System32\wlanext.exe"
  2⤵
  PID:9804
- C:\Windows\SysWOW64\wowreg32.exe
  "C:\Windows\System32\wowreg32.exe"
  2⤵
  PID:4044
- C:\Windows\SysWOW64\WPDShextAutoplay.exe
  "C:\Windows\System32\WPDShextAutoplay.exe"
  2⤵
  PID:4488
- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
  "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:4036
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe"
  2⤵
  PID:3396
- C:\Windows\SysWOW64\WSManHTTPConfig.exe
  "C:\Windows\System32\WSManHTTPConfig.exe"
  2⤵
  PID:7676
- C:\Windows\SysWOW64\wsmprovhost.exe
  "C:\Windows\System32\wsmprovhost.exe"
  2⤵
  PID:2040
- C:\Windows\SysWOW64\wusa.exe
  "C:\Windows\System32\wusa.exe"
  2⤵
  PID:7112
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 400
    3⤵
    - Program crash
    PID:7164
- C:\Windows\SysWOW64\xcopy.exe
  "C:\Windows\System32\xcopy.exe"
  2⤵
  PID:10316
- C:\Windows\SysWOW64\xwizard.exe
  "C:\Windows\System32\xwizard.exe"
  2⤵
  PID:10132
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  "C:\Windows\System32\agentactivationruntimestarter.exe"
  2⤵
  PID:8316
- C:\Windows\SysWOW64\appidtel.exe
  "C:\Windows\System32\appidtel.exe"
  2⤵
  PID:10696
- C:\Windows\SysWOW64\ARP.EXE
  "C:\Windows\System32\ARP.EXE"
  2⤵
  PID:1432
- C:\Windows\SysWOW64\at.exe
  "C:\Windows\System32\at.exe"
  2⤵
  PID:9208
- C:\Windows\SysWOW64\AtBroker.exe
  "C:\Windows\System32\AtBroker.exe"
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\Magnify.exe
    "C:\Windows\System32\Magnify.exe"
    3⤵
    PID:5648
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe"
  2⤵
  - Views/modifies file attributes
  PID:6808
- C:\Windows\SysWOW64\auditpol.exe
  "C:\Windows\System32\auditpol.exe"
  2⤵
  PID:3212
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\System32\autochk.exe"
  2⤵
  PID:7620
- C:\Windows\SysWOW64\backgroundTaskHost.exe
  "C:\Windows\System32\backgroundTaskHost.exe"
  2⤵
  PID:7892
- C:\Windows\SysWOW64\BackgroundTransferHost.exe
  "C:\Windows\System32\BackgroundTransferHost.exe"
  2⤵
  PID:5132
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe"
  2⤵
  PID:7032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Calculator.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3456

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:6032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3428 -ip 3428
  2⤵
  PID:5280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 9936 -ip 9936
  2⤵
  PID:10608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 10648 -ip 10648
  2⤵
  PID:1176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1688 -ip 1688
  2⤵
  PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5268
- C:\Windows\system32\dashost.exe
  dashost.exe {c19afbaa-82d9-44bb-a439aab9346efdae}
  2⤵
  PID:5280
- C:\Windows\system32\dashost.exe
  dashost.exe {56d9536c-835e-41e1-b45b62aefd421554}
  2⤵
  PID:6200
- C:\Windows\system32\dashost.exe
  dashost.exe {8f3b5940-387d-4ed6-8d951b9416ec0449}
  2⤵
  PID:6496

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:4624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k defragsvc
1⤵
PID:3428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:6092

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:6172

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:6320

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:6372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
1⤵
PID:6788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:7120

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6968

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:9120

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}
1⤵
PID:5956

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06C792F8-6212-4F39-BF70-E8C0AC965C23}
1⤵
PID:4396

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
PID:5264

C:\Windows\SysWOW64\wiaacmgr.exe
C:\Windows\SysWOW64\wiaacmgr.exe -Embedding
1⤵
PID:5392

C:\Windows\System32\wiawow64.exe
C:\Windows\System32\wiawow64.exe -Embedding
1⤵
PID:8872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\762a663780ed684ede611d879d94f736_7e5d8f25-ae8b-4678-a37c-5abaa99a2062

Filesize
107B

MD5
285a69c654f4a4d175a7e094a59783ed

SHA1
7760730b262195a92c84d6a0f17a08164c31d5bb

SHA256
723b3893c754f5d2f29aaab9d3fba28eb58d21506c2be5acb2338d9a52d82e0a

SHA512
05aaf2988960fb09f05c024d3d38f273ff3501574977ca3c3cabf7853a52abfdd3a6b8ee213357ce518ae2d1dd5375f3917f47e0ac633badb146df0ccbb12f2d

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\762a663780ed684ede611d879d94f736_7e5d8f25-ae8b-4678-a37c-5abaa99a2062

Filesize
2KB

MD5
8f2437c4c3a243cb8e55e7c1d60227af

SHA1
54633be093ad34a7c960fea3fc9722be981b570c

SHA256
5835a86360cb03276661d591cb70ff3348e5327d8fe1dccdc53160926ed36051

SHA512
aaf13346baa68c672b5294540f70751517d3b1be14722af919497a2d9f5ed23e8e375823adbc3df9b20506404d9b0fbb5ed5380903187c4ea8fa2108441a27c8

Download Submit
C:\ProgramData\Microsoft\DRM\Server\S-1-5-21-167299615-4170584903-1843289874-1000\CERT-Machine-2048.drm

Filesize
28KB

MD5
6e387b21b5e351f33c2a91aed02c9b9f

SHA1
645bf56fe6a9bf216db50cbc4723cca0ad0b57b3

SHA256
b2df2bd21a6fefd61e3a610a558cd30b8b88401cd0b34259433d3518165e89f1

SHA512
4a7cb170ef2926bbf5d29531ae37bb5b331d3cfbcdfa2adc966b8fa04f46a0fd4bdaad7360a7e4f7739958e0032a2391adfc62743eea66ab619e24569baa9641

Download Submit
C:\ProgramData\Microsoft\DRM\Server\S-1-5-21-167299615-4170584903-1843289874-1000\CERT-Machine.drm

Filesize
25KB

MD5
f1e40b8944264dbb5e8ba79d8084248a

SHA1
02d4a91eec9d4947bfbfdc35ec104b9144d5486c

SHA256
294c3ecaf7b8db8aaeb688fd9acb6ae6959041ddba4392a43ccd9b2250202ad0

SHA512
56aa992b275e01b92f2192cb752ca993073591b361774f2bce5ae0b35706ab700cfcfb2bd69f1bc46c64fda7736f993dd02076abfdfd930fbc5cddf297498470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
3b0189db6a6794166ec0a91d7868192e

SHA1
ac9564e3c1688da93bcf0a924321a912dbfcd6ae

SHA256
5541ad79008f97fb5ddf26ed45e3fc38f8113b142c13c0e6f242645d5098f9c1

SHA512
2291785340262cf2c7ed40cbdd7083a4e6871db2d1bb9a03651ec7870bb5a7f434033d1eb9d3d25760f545e1b33b6c41d40af10d61a8b1e54088350a32fa62ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
43a33b75bd884c6af19b54e128b4b8da

SHA1
731fa63d2e34d4142c8600438a416c143c3da2a1

SHA256
f3302d9a9af5cc4e8c5dfa069f0a14851309ebd40ced0a472e13a1b2c7ba96f2

SHA512
a396a51b281c64e002031c81d9fef3b1e18f51e4ae97d07383e891511e87ad7feab062b1abfe8dacb3b9499125199662790c9e9bc40fbfd50393a08ebd094ceb

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\45a5e5b635b28e7a\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\DRM\CERT-Machine-2048.drm

Filesize
28KB

MD5
92beb56100add424c3720309d2ee3dca

SHA1
2cbc5150561fd539b81163921bc3b7cf2e2c3d69

SHA256
b8f159b594f5e756b6542d2e7340cbbb95a3bcdf20433343047d12be7422989b

SHA512
0a6780af845d5c43dacb90382fc35a053b0162fbf394bb510ac79a2e31b924555df6ea6c917af183d9c9ff83b6095d7a22184800151a4b31d7611b791bd3f36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\DRM\CERT-Machine.drm

Filesize
25KB

MD5
7a47a387661abf55ec3e9a4c61a4d322

SHA1
2e5354e11616a3a8d7fa2a0e9167bed361a52168

SHA256
1ae6e229ae87535a0b09b9d5a8ca48f50b72a2faefa23d1b54e6a88384ec7d7b

SHA512
57f414777181fc73b939e7ff097dd79ceb00d29169087674f748af8a036d2fed8cad6347879a4fa76b9e0c18f7d9e69624db6948e68d2027cb6a8b7a9ed70af7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
e5f3655796637b7d0f4a8ed402e119ea

SHA1
3baaf516676664d46727759914745776a166016a

SHA256
22d91a4321390a9445110f04d5600f49f03604a2d7ecadd10c663248295c88dd

SHA512
2125899d678c926c9f85ad81892f8ee91aa0a74e4c533bcb6e48675ebf0eccbe0db17998f3e3ab961cf3beb8fef7f950588398c5868327aa2d33f81bde797ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
59f416814ece56a8fd770b70583b1024

SHA1
5a86273aedb9bf7d4a939e6eb9121381e8b0a215

SHA256
2aa818036afa4e4f40b9f83fb7d4243d90ce5794f615a8d4a613a3159a5ca772

SHA512
08bcc31f468cc8d6e300452bfcf2d53f180a482ed5f44908535dd2dde0d1bc6315f53a26d4dd77579e1ba75f6125d2cb65fd9ec98a2976a0658c5aefeab8ae20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a62ac758f03ff2703b742ca5d8c002bd

SHA1
32acaf3f2e8e420914254a54a3492fb8d5074fe6

SHA256
25641bdba35bb9e0d8169dd1b36cf95a7c6542f200e381132cc934323361be8a

SHA512
115979810c2449ca72b2954edc1503bca1b6644b957383531858bd1dd2e89426f5a7a83aecf03e1d8cae2cc6d663be8d25f729c151fb8207ec8f0f6d3ae1b0b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe590dc2.TMP

Filesize
2KB

MD5
3c6b6d6075e1c3a2103315e5563554f0

SHA1
cd3e35e6bc3baf51faf2880f37ad084a1360b275

SHA256
689562f9e38662a45b2dfec2095886dc943115677be14d9b40f5fcb2c948c1ea

SHA512
aacfa79964657241d6c4744237723277e381e76b6ca96b58b079e1cef48ef479ab2f76b1534ed06835703c1178db3968f2be6b37f3c843bd5bceece81bf7ca8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d4a27a40c69346d6c3ea5d861265545d

SHA1
ede44d0608e6bc343457e4caa23eb69954c6fd69

SHA256
ad96709b54667dddd01c04aa31715b64468c3bc32209b35918700abde9f75aab

SHA512
12df6e501dd7da955cb49a065a4b055d44dff1d7ace67b46595130beef6e98b883be730ca0f02d323a457138d6e02756d7cc9e5567a6a6d374a9b478202fe7d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
df2ce4c1203e542b512b830e5a877275

SHA1
0c1dba2f9fc4c34f4ace9a93b4e3d72c48ab5395

SHA256
d444f96064f722141603829f9bc69fea07e07e5dd82a16c9175a2680a6ff6279

SHA512
7d85a50e25eecdb15811937adb23eec8c973dc32bfd97a785f84c3bfb227a85f1db33745a6ddd58646b0ca7b5e99d9d0de93977f3ac851b36f0e7613c3419a07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
e4edf54620f43c18cab883397891c1c5

SHA1
81383955f83ad0cefea8f327b87f0cf38af9597f

SHA256
298f1c97db0dd4bb039d4582c8fbb996c9a3eca0e8748822ec30f36fd0804c51

SHA512
af0cdfc537d9d886d04a7f2d14ad9aade609b706114de72b35ec1f98beca86fabe73075e257c8cea9baf51cc479ef58c334eb8a98544035c3640050a09759fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
1cf13484ba57bb23de39d748ebe0946a

SHA1
0426abd1aa0cc5d4ad4d5fa8092422590251efe5

SHA256
6d9b14ea19427ea773fabeb5884d38df8ec3ac2d9fee5a5242ca8678651557d8

SHA512
23e334099d3841dbfab4fa0905b0dbfd7338e92c57c1bcef562970b589305ad4fc8631df6b9835c38639cd316ccc69ee6cd3cf8ef37dcf552d484c483de3fa15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\31cc4690-8f57-4fd7-82c6-159ad7103a35\index-dir\the-real-index

Filesize
72B

MD5
8e0db3c2f4184538b105955a4e5b03ea

SHA1
3b3f80db9aa89f0aa8232a34d9ef1189e391a9ba

SHA256
588fb1745cc7a9f32e0bfc2428451054561cf4d0b058572b9a7ea613a6145a94

SHA512
1e71913d1873d5bcbfe2142f81196ef335d97b95196dba6f627642242b9b0eb3e51c6de1c2ee12508dc2589872447a0d7149b621317e812a1d37195902f38d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\31cc4690-8f57-4fd7-82c6-159ad7103a35\index-dir\the-real-index~RFe59b02c.TMP

Filesize
72B

MD5
6e7e098e7f9c9d73347f25cfec0cbd30

SHA1
24e68dae9cedc5db531da8b7782d632a1df14e6b

SHA256
bfa2d97018769668d33021dd998f8c245b322551811b6e6490e039677755ffc7

SHA512
9d3d5319fbbc197334ff6d1f24ad6101fca83b9a00ef90705b8bd8606085093933a15a3aceb2fc52159229342d5a69d875aace150c014ff38d57c4830d659f7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\c971e2fa-b8a2-47b5-a4ad-0a1b8ab2c3f5\index-dir\the-real-index

Filesize
1KB

MD5
c854250ba86fe897c86e721edd928b16

SHA1
8f372e75034685cbbb0b53a75950b557cec42e8d

SHA256
e55b9b7eb6e21ce3ff405ccda6381b3a37cd19e8d5fed1bd5862f3ae8045a256

SHA512
f422facade96273304cfcb44c5cc3c3196d5573607a102bcf81db8734645fb0d46ee80e63ad0b6ac3db44dfa38c4e83b04960d7ef19e4a88c7346d4714b54296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
78fe7e43e83f55bbee835c09e8074f27

SHA1
9e83e6db41e28824a8958ea837825c9c36e98e09

SHA256
47ffff6b9821d263fddb710a2f7ffcef4896b35e2c14d24b990eea475a9c6cfa

SHA512
34877b2e84ea444e4e0e81d38a890b9d91faef87304a5a9cd677ccdfd56e505e8bde5226c449378e5e2af91f0f9334983c3b24e09d995f69c9f664ac223db592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
104eb188e67db62aa74b429e751fa1aa

SHA1
eb46c89b067eb67d00fa1281fc150bfe5fed598c

SHA256
dc5697659278c469a7a3c29d6a81fb0cec3f5eee2fee30f9ef367df6ec5910b3

SHA512
1fb68f8f3f376170e1d758c49ce2dda64caa44a5ae52dfdaa443ff6707a3c5b960c090c42ded24707c3b7755e2eafd0ab51ab8c122a5e81a29e83a34db8674de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3c2c50b54729d427653a4c8c472c25b5

SHA1
c03d4afb8e5183247056bf9db0a79b6ce2309c54

SHA256
1766d79c354638c35c35908b28c2b941ba89f97f96213e5947e3248c21a6c9c6

SHA512
7a5f11edc80084acd35876d3ec5a61a5ecafb6d32aa81c0b7df5f2fb777009e3443eacdfc0dca8f3db33a3bb8a3273d65fe4ac33d2c0c0f9e41bdb6981a5f28c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59d884.TMP

Filesize
48B

MD5
64ce5e3f0051e99840a6e66a437ff02b

SHA1
a8aab059b14eb4122524afaa5eaf54d5c823c956

SHA256
11df7009c305a0dee7caf2e924bc93b661fdaf33caa212e8c5405b4f8ede9ab5

SHA512
fbeb5684b2a733d009cf3668e5dd4fc0c591075e5e4e81ba6e85fc2775598b8210b89bd48369e38f010adf3584eaaaf6ac7c8fc82b068e81874277a8cd134c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
584fbdac25626f1dd6afcd19929ff4fe

SHA1
5bc390548e8623790c021ab350c2c1d16bbff04e

SHA256
45bbc12506276b4e8d9c08e57cabbccba23364e1abcdce1fc6a51db9cdfb6654

SHA512
a6ba940c3825e928b2b4d50a1a1f43a19c29b4aaf58473b3e27986c6bf9aef9f0cdd97097e82d2fb79a4e1267bc9790024a331c863320866be71f62cd9284f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
3d02e76d1577abc9e3eebf4a7c99f9f9

SHA1
172f566ad4dcdc9d992d27a3307effabd3580dcd

SHA256
568ec9a9ec7b1fd092794d81cd11e389aface0ee73a156c3a54384e51d490ea0

SHA512
71ffdf959ba7a2c99b87df4f7f366f52e03028896c0d4f15ae6b88d1fda15c55da8f6990714a548beed04547a4ee394d6d2c7e362c298595b5bd4f7a47c23c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
29fe027dd12b35b91bec173f486cd426

SHA1
991a14de821d1dbd504f8e3b856d82eae2246ad6

SHA256
e878d9f9b2b18c6b69983a5cc92de6950cd5f72c5603e478976cfc157194cee7

SHA512
20d8146f9a87258d55c7ac0fb640daf5f912f358e6da30748c4d30bafa7063c1964450947698e7862e806dfe747b6e4edf30e54962ad571cc4f5764a4bae4fe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
9ac08778ce97f1044ba0d3800f6daa26

SHA1
65554b9297f016ee52907f99a0ee6f9e3851ee3c

SHA256
83754594c9ae4e7e541e25387e95309d3b88d002bfbb1ea40bc67ced831c3588

SHA512
5f6430bbdf6a98e2f7e34d05d87283afdaa06963e50e7907fe7bbc2135af9f8d3c7efc7cfdc3e917b69300fe78e8a9568e759c66bd8ee190dc606010fe761a58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
576KB

MD5
239a07b85fa9e4eb495ef3921edea87b

SHA1
edeaceb5c8b678ba1c7bcf7f3673d5ccc727bece

SHA256
fb9ae4fd2e88c3a557d940ee81f3b18c7560dbcc8b5f5ee9dce48fe39a06d102

SHA512
b5305e4f6264d0935732d889ff49342e17b10a946e31484c5b4c16f28734caa564ed5ae47e26675dd58147840d75caf7049989c14eea47cad473121f02a34114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Resmon.ResmonCfg

Filesize
17B

MD5
407aab8c27cf7081eece071c90a65b83

SHA1
d9ec9f9d3768fb1c3646284d77f519f74ee6b8cc

SHA256
568269850dbb3f5f52e0e38e3c0b29be06c70c58fe425b39746f5ccefdd668a4

SHA512
88a35933e87dbdd298577bdb33afb1f878dc68f43e7916c4102e893fe04812a9522ed66755df03105fd199fdc3c6bd197051c22b2ea2765d0adba5c375ddd35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mo30hmjy.jph.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
d233c06ff90267bb1cec981f5c057b75

SHA1
9cb91fe0940ba501788d6273a0d75984959b3e70

SHA256
21c014db9753510e62ecf3407cf33687bfc1b3c8afe6c4788610a2bc72af0779

SHA512
8561cea18141611eab2226a671c1b91b5541e341a90b18ae5878b876d0c8b3c1f7812896a37df3e5461c2c94c2c394e9c921a70518e820fefee72109f9070b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
1b8afef08dac50fbb23b48e3f0e0d537

SHA1
3261141c4fd0b53b1035271df24e96c27d3ca635

SHA256
6a500ea50f3dfe543adfa2af6c71bec35c3956183eafad7c8f9a5ba2948d8ce0

SHA512
ae9e1af5a43a3fceb26af2b2bb21329f3ba6e483904124fc5cfbe68801c64a5ad4b83365db0d3073dba93e98fa46375c878a4501c553616fed4fdfc4a21d8ad7

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
5KB

MD5
43b9de3126d70f7088e08c6c689dae8f

SHA1
4d05a7db4d551af59d4daece4a70acb675cb18a3

SHA256
f0225b309468e5b1761734d5dabb8c2ab50736f0d16b00a72255348827dcb097

SHA512
853709d9a44c346d19fe2f6745b338b8588b38de3ed7e697fa3463c635ef5b3a733faa52921fd06599b845959018223ca4884a5ac4530854dd72d568c09dde63

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
279KB

MD5
611174bd384d3ea6c26ea134ee1798dc

SHA1
3ad08f4c34363e73b74e011bea7338db84482a42

SHA256
5e521b32f992c93f549b4cdcf4e159d3a6622287d11d284f574d3107a06467f4

SHA512
f145db6993b1e5ecab367f00fb59a85fce35953a9d61fbdc3c4a4b97c8573fbe8f4677847f4651ca21fc46554b0e779a3b38514b4578e9285b0c43cfd01edd75

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
11KB

MD5
00932e8496cb219f88f682929ad2a92e

SHA1
53d0db14d9330affebdae085dfa73663f32f5c29

SHA256
b1ebeb84a1e9ea88f75ffc093d93eaf62c10ad91bad1fe63e5b3106e5448b86b

SHA512
c80c819b975c7564648be970adfa48969c858cc66b81d69c764dc724b988568feef1fbdd18986ae31dbcd24ec04b001d52975cc9c2bc34b912fe7daa4a355ad4

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
14KB

MD5
24d6187bd91e70224bc7ab457ea6730a

SHA1
ac57a9bee0c269cea407a55d0c249bdc7527266b

SHA256
83fa2c4177c7c192501bfa7ec37eb54a640cbabffd8490c0cd84ba8461adc9b8

SHA512
b48dda1665112a2eb872e76c41d6d07243d0ae1ae35953bd164d86728629eb8427969d3908bb698052e898b24598988c1b4daf95befccd0d8fd97cca6054c54b

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
16KB

MD5
2a96ef792cff78b5510044cc9edba7d6

SHA1
4aa13da126b2ef28f6407e1bb06b65f8bb801846

SHA256
a73725b0c661ef10deeb7c216bfcd5cc09c8548c7cd6c71d9f06c8a1b0d9cf8f

SHA512
5908ac1dad504fb1ab0d430b0d2650fba9436ead620b621eb6d1600157a30d0ac8738075557d77a93dc695663c12a78abc2b0b0dbac6434081958f28a8dbb966

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
18KB

MD5
2e6e9a123d8917fde5b8bf3765f9d104

SHA1
8e0da9a05af3461cdaf9bdda8cdbcacb250c98d6

SHA256
683d87ec68409cc7498b5da5bda5f4bda60f684b837e21187c6ffbe0e3af2470

SHA512
4153b2c4e9153137a4b0e520420b47102b9c9d728879df8124009904fd3911c6d68076ae24c635ff4031532ba571cfd291cac85859b4de3a107e45201e07dfee

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
12KB

MD5
b9ac08ca472f2fdc793e4c3b44411c9e

SHA1
257b5f0aec9232eb8d95f753875399e7de842360

SHA256
7446440075c13627066eccb7c8a0d0fbde6929e36f230c44b356ef1d2c941a7d

SHA512
e20489ae11bdde7763a06efb68302eaef5705c7597c5c56e155e660e1a05faae7b42559110e886f4da0582e0b1a5f3fae4f2cd3d532ea0bda3c2998b6c676cbd

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
14KB

MD5
2b3176d84b686a87c302e2fcbce0b5e0

SHA1
8c99ddfe18d277c7502d539acb0e2b3d10242fed

SHA256
bf3d267d78918d1c58d018054fc38750d41ef9981dacfefd9490b4c60ea0bf4f

SHA512
af2b8879a6da5f3a7e3235e896258cb1e5c724a6f3b44564fb2f8c0d77105f8a0b58c4c10f761a85f361bd823b0700e2fd21449c129b75803cd0916b722b536a

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
16KB

MD5
38d928778584d032e59bbd0324415e14

SHA1
a17c2c4a3d9bda07f02d69c26b402db79352be8f

SHA256
f62493159ac9a61a0017730c31a2ad05f028e6daa4e56668d8fa7426dadcef4f

SHA512
4a2765c8e44996b108a5d2969f18844326fb5d138ebe42faa671709fc90029768d5d1376db3fae836eb7d239acb2aadebf108e484e44ed7546432fe74eab916f

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
17KB

MD5
74bcf05f2a7de61c1849367e9d424c57

SHA1
af745830fcbd68a84dace916fa68bbb541063987

SHA256
af533c19487fe35fb0041b4cbae8c994a21ae357adbfb83cf57a43a83d7244d9

SHA512
3369e5dce528e004257f6d1e95397249349e830df7e13b52417252d595e823f880ce77c4616c9728ffc2a69f926f98bdfd8c2e63f7ab025aee364a76563350ea

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
44KB

MD5
d8b0795d6cbbe3fec8f75db4f45979e5

SHA1
9f60c6e544b4e3a6fddb0a12c0f42e1317869554

SHA256
322cdb67e56844a824a57faa2b2c24807f78f149ef3f03739b360a6dd9018a75

SHA512
e15583c16bdae5106307788e4185b924ef695d15a11d8a0f8f8263417daded62b03a340643b9b40fb3c1267f59e0ff93812a7e14dbf9c512bbd7d8a53e5e0281

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
45KB

MD5
433c8bf78b2b6220d73562df48477955

SHA1
99f9351eff22bb69fc31dc047e92b6701003638e

SHA256
ee23ba57f6631b9504200ffb1444b6563c0d6ef27a19d6a2e854a0f9b0a23877

SHA512
8a4fef4e275f5d15c6a6e8dca0a8db057d71e6958f1ae764e436ba935806db453f9bc573b85da610b3e470fe4dcb7338626de763c52c0f6d2bdd2ce4e7a4c986

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
45KB

MD5
d530726af1e3bf014818d1d3522475f2

SHA1
49172ccc99e700407f8ac2b220a0d4d03cc2a040

SHA256
551d33f44b477dfe1ba628ef60de045cf90a751706e5b4e6ce06bbf5f5adb333

SHA512
60cad8ef435ad7b4927d364ffbfe738c117e6bdae8467f6d69f5e1d28b98b3b492421894014c536af74da2fa5b4b836a0b40b2b980e407960adf45e5912569e6

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
45KB

MD5
495308eadc439c7626a3037dda360d1b

SHA1
8cc6bd9f13005771b48dc667a63830299142a91b

SHA256
2755f48f285760e2684256ede39c4127a13ab4d8df4131eb3c7b57ccb4916175

SHA512
7ed36badeccf0ee6e5a7d601568122149fa7a8708cb559ef9737534739ee8835c37d5faf1b96c24365019fea6e63502e25055b72ab1b5f1ae86b2d7e9e31e273

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
319B

MD5
86435337807467872fc9475a1191670d

SHA1
44cb0fe5c7de3b587d285547a51df04e71fb3d5d

SHA256
c03a70aaa986c90414a5e44b6878bc0171f528957727ecb79085ce40eaeeb39e

SHA512
4901c404be300cb175a06cce33cd02e3860c78a31fbcc4d8fe2a9a2c25c881ec8e2898c09c9a0b042610db4ad6b13a6f259f5d230f23bbba38913c8faa5ec3d6

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
599B

MD5
840171f5e7e67e6e51d521c79c3ed731

SHA1
baf9aadf9d14c62a3146694206dcee4417d70a19

SHA256
e475e61736430ff9402ea81d6c52ea81402b30b5f059eb8373dcd99633e9b686

SHA512
f5b1a84363598ab3d136337c058f94602901830fb702865448f2aedd2fd4ea6e1bc6c00e44e3357de92602b8bb23be7f58e9c733db41f060868dfcc7f3ae7e64

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
825B

MD5
454e8cb1da15681853e3b57060b967c5

SHA1
7794e40bae886e1713bc811a4429c7bb6e320fd4

SHA256
1411b11d59a695c50a29a084c483ae0daf600b4c21ec6070e03a3f13187be920

SHA512
f9afcb1995a656253a15bbaa2a5400621af104c729e8048cbbd62325e3d10b5a7f43544f5e4c74e318e16d91287f000f601880f6e608e21737c25ef7ec542644

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
1KB

MD5
0026b37faec9fd90428711ac34c5bc60

SHA1
43f31dc710b926878a13672b7ac6b0e872119b2f

SHA256
72734a670ff7ef4761a47cea71be713e4c09eb8fa5c89a29e5da14ee4074a1d2

SHA512
3a065afb5e6861daf4c6237dc3e3df9821586d10a43f54ce7ff21cb33a2bd784f397cefabead893ddb3383dda2fd474bff8ec12602f14170ee889911a9674954

Download Submit
C:\Windows\System32\LogFiles\setupcln\diagerr.xml

Filesize
11KB

MD5
fbbc55191aafd935b66588fe1c3c828c

SHA1
274b892538b2f181e73a18582723b2ced2a682dc

SHA256
399337fb49afd31011144615dcaec0147af921fa8c6ca76dfdc8a9cfd00a9b44

SHA512
acb0768fc54cbc80ec4c370fab1e6923174c6e42098aaa7f2d2bcb3581c09bd8bb8e32a67952d260050596180bc1c0925aafb452883d15dd686f01e5dcad1437

Download Submit
C:\Windows\System32\LogFiles\setupcln\diagwrn.xml

Filesize
9KB

MD5
692ca5ebc9e0cef0a8d0be4df7400cee

SHA1
f63dada2e5f7a1d786c93bc3d757642d93b24b59

SHA256
a378a154cfbf27b8471462c657f28a11fee70fd33593ac09ee216c642b26b3aa

SHA512
429b2eba8b421f3bae504ebe94da0ea9e662e5256d16301f46a4590f915b381cbc67b86c2beba391600b5f512412f1dcd9bdefc363b4c63dc7136022fa0f45bb

Download Submit
C:\Windows\System32\LogFiles\setupcln\setupact.log

Filesize
10KB

MD5
3a4786a59da76cb539abcff3c18ff45d

SHA1
d0b3c084e5cff924c8015d2ea044bfa85dd7cf43

SHA256
67696cf9c914c6070fb3ec2ea52e15156cf0da70cd9ab8f820378108df6c4581

SHA512
4cf0d3cb5dd9f28c5cd84857106178a508f726e239991cd714c71e8d38079a5754568f48953f89de459572228513dd51eaf42b2d299d8bd058a23a447271c720

Download Submit
C:\Windows\System32\LogFiles\setupcln\setuperr.log

Filesize
1KB

MD5
ff62b64c046d34fc43f5884f7f62684a

SHA1
ea0d0ab4105f9a4bfe46a13eee4afa3c748f327b

SHA256
ff91fa52b53dc9971ccf1310349602e7e19ea35868d875044fa4572e5ef76148

SHA512
9b7cfa291e369a0fe6d4a1909c95a28b64b94043a9bd24eb9542da888b9be3f2ebf68c80c5a9c08c42f5846740ece9f394ad82f15544a4564d4599e2f93ac5a6

Download Submit
C:\Windows\System32\LogFiles\setupcln\setuperr.log

Filesize
1009B

MD5
bc7d7be8a95594c0611858c3c9dbd390

SHA1
6ce4781ea9d74c86eed847017c979be7b5fa5d92

SHA256
6f1ca17204b76a59836ff581de11e00f36917cc6c6843bec9f8ebcd5fd0b5f18

SHA512
86961aabc38f0ed04985d28ac29668c58a032e5b9613c58e9e03f7eb085838f39a470727bc6314639b6c3f33c9e9da79a3b4a314c84f265fbfdaf2f21dde1ddd

Download Submit
C:\Windows\system32\LogFiles\setupcln\diagerr.xml

Filesize
22KB

MD5
94f5ed670ce92d4b5a6719a3e752cfbf

SHA1
d421de5eb20d30f70984dad33f03f7043910cd2d

SHA256
b7752e547b9926c34a05ca6ed66a98a67083e624107089c5c334f667fe91baf4

SHA512
bf9f89f9ebe26f78ebab2d26003ebc89c6488f549a766ea9c8d8674eb9064843ac60314d0708f1fd60248e55d0c6d98865ad50367eac65769debc33384701472

Download Submit
C:\Windows\system32\LogFiles\setupcln\diagwrn.xml

Filesize
11KB

MD5
dd66b1af99c6372748514585c2bbf82e

SHA1
56ccb8333bd0bf5d771cf0fa842dc5f06833900f

SHA256
cdc7bfea115dcc798b6868f3dd0b9d66ebbdca30ccf16ba93382d03b9ac21529

SHA512
2305d517b206bb9b826796306bfa9e3c3ec48fb0b19b46a5421a9845ef26136e3b4c6ea1d2b4b0f85787a41e95a9003ac6e945288d1b3fbf93aaec2c50408dab

Download Submit
C:\Windows\system32\LogFiles\setupcln\setupact.log

Filesize
12KB

MD5
b86b35ae1f2c01187676824bcd99250f

SHA1
973a782b57bb05dc02a938addbb9c2045f92cc34

SHA256
cd4110af00953f134bb09120fba55f6ec958b7d4ca28ede0916248f5d8d2e108

SHA512
3feba1883fd8bdd9f2564ccfa899a1c3e618757471d96af773682f4319259cc760a3e739483b4e997e336603193e4a546fd99053f23c0eacc4b095dc2a1a998a

Download Submit
memory/6628-80-0x0000000000C60000-0x0000000000C70000-memory.dmp

Filesize
64KB

Download
memory/6712-178-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/6712-187-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/6712-188-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/6712-177-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/6712-182-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/6712-176-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/6712-183-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/6712-184-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/6712-185-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/6712-186-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/10772-745-0x000000001C980000-0x000000001CD54000-memory.dmp

Filesize
3.8MB

Download
memory/10772-742-0x000000001B520000-0x000000001B57A000-memory.dmp

Filesize
360KB

Download
memory/10772-744-0x000000001B860000-0x000000001B8E6000-memory.dmp

Filesize
536KB

Download
memory/10772-743-0x000000001C090000-0x000000001C59E000-memory.dmp

Filesize
5.1MB

Download
memory/10784-640-0x0000025F47210000-0x0000025F47232000-memory.dmp

Filesize
136KB

Download
memory/10784-650-0x0000025F47BA0000-0x0000025F47BCA000-memory.dmp

Filesize
168KB

Download
memory/10784-631-0x0000025F2CC30000-0x0000025F2CC52000-memory.dmp

Filesize
136KB

Download
memory/10784-641-0x0000025F472F0000-0x0000025F472FA000-memory.dmp

Filesize
40KB

Download
memory/10784-651-0x0000025F47BA0000-0x0000025F47BC4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads