f7f624d237f1d81858259c1783be9c7a605fe260b22092af064bc91035010fef

Analysis

max time kernel
51s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Holzer.exe
Size

135KB
MD5

c971c68b4e58ccc82802b21ae8488bc7
SHA1

7305f3a0a0a0d489e0bcf664353289f61556de77
SHA256

cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce
SHA512

ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7
SSDEEP

3072:2EYGNIaWY/0kTKxIJXtJ0YCHiQtSetFITTTTTHvvvvvNKB:HN5TKvr9PuKB

Score

8^/10

bootkit defense_evasion discovery exploit persistence privilege_escalation

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Holzer.exe

Disables Task Manager via registry modification
defense_evasion

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
10068	takeown.exe
6456	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Holzer.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6456	icacls.exe
10068	takeown.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6296	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Holzer.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
9504	tasklist.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
10980	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
10452	runas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 2 IoCs

pid	pid_target	Process	procid_target
8808	8540	WerFault.exe	411
10932	10700	WerFault.exe	476

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkdsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CloudNotifications.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmmon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AtBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cliconfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auditpol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootcfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Holzer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compact.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CertEnrollCtrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	charmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdkey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ComputerDefaults.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BackgroundTransferHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkntfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CameraSettingsUIHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certreq.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2844	RpcPing.exe
1012	TRACERT.EXE
6296	PATHPING.EXE
6944	PING.EXE

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	bootcfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bootcfg.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
8696	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkntfs.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5388	ipconfig.exe
4752	NETSTAT.EXE

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3984	SystemInfo.exe
11272	systeminfo.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
10172	taskkill.exe

Modifies registry class 21 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	certreq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	certreq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	certreq.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6944	PING.EXE

Runs regedit.exe 2 IoCs

pid	Process
7624	regedit.exe
8404	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
460	Holzer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	460	Holzer.exe
Token: 33	4712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4712	AUDIODG.EXE
Token: SeSystemtimePrivilege	460	Holzer.exe
Token: SeSystemtimePrivilege	460	Holzer.exe
Token: SeSystemtimePrivilege	460	Holzer.exe
Token: SeSystemtimePrivilege	460	Holzer.exe
Token: SeSystemtimePrivilege	460	Holzer.exe
Token: SeShutdownPrivilege	4964	svchost.exe
Token: SeShutdownPrivilege	4964	svchost.exe
Token: SeCreatePagefilePrivilege	4964	svchost.exe
Token: SeSecurityPrivilege	1416	auditpol.exe
Token: SeSystemtimePrivilege	460	Holzer.exe
Token: SeSystemtimePrivilege	460	Holzer.exe
Token: SeBackupPrivilege	5984	vssvc.exe
Token: SeRestorePrivilege	5984	vssvc.exe
Token: SeAuditPrivilege	5984	vssvc.exe
Token: SeSystemtimePrivilege	460	Holzer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2728	OpenWith.exe
5536	certreq.exe
5592	CloudNotifications.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 4780	460	Holzer.exe	100
PID 460 wrote to memory of 4780	460	Holzer.exe	100
PID 460 wrote to memory of 4780	460	Holzer.exe	100
PID 460 wrote to memory of 4932	460	Holzer.exe	101
PID 460 wrote to memory of 4932	460	Holzer.exe	101
PID 460 wrote to memory of 4932	460	Holzer.exe	101
PID 460 wrote to memory of 4108	460	Holzer.exe	105
PID 460 wrote to memory of 4108	460	Holzer.exe	105
PID 460 wrote to memory of 4108	460	Holzer.exe	105
PID 460 wrote to memory of 3936	460	Holzer.exe	107
PID 460 wrote to memory of 3936	460	Holzer.exe	107
PID 460 wrote to memory of 3936	460	Holzer.exe	107
PID 460 wrote to memory of 2692	460	Holzer.exe	109
PID 460 wrote to memory of 2692	460	Holzer.exe	109
PID 460 wrote to memory of 2692	460	Holzer.exe	109
PID 460 wrote to memory of 5376	460	Holzer.exe	110
PID 460 wrote to memory of 5376	460	Holzer.exe	110
PID 460 wrote to memory of 5376	460	Holzer.exe	110
PID 460 wrote to memory of 1416	460	Holzer.exe	112
PID 460 wrote to memory of 1416	460	Holzer.exe	112
PID 460 wrote to memory of 1416	460	Holzer.exe	112
PID 460 wrote to memory of 1132	460	Holzer.exe	118
PID 460 wrote to memory of 1132	460	Holzer.exe	118
PID 460 wrote to memory of 1132	460	Holzer.exe	118
PID 460 wrote to memory of 4292	460	Holzer.exe	119
PID 460 wrote to memory of 4292	460	Holzer.exe	119
PID 460 wrote to memory of 4292	460	Holzer.exe	119
PID 460 wrote to memory of 316	460	Holzer.exe	120
PID 460 wrote to memory of 316	460	Holzer.exe	120
PID 460 wrote to memory of 316	460	Holzer.exe	120
PID 460 wrote to memory of 5548	460	Holzer.exe	122
PID 460 wrote to memory of 5548	460	Holzer.exe	122
PID 460 wrote to memory of 5548	460	Holzer.exe	122
PID 460 wrote to memory of 3620	460	Holzer.exe	124
PID 460 wrote to memory of 3620	460	Holzer.exe	124
PID 460 wrote to memory of 3620	460	Holzer.exe	124
PID 460 wrote to memory of 2348	460	Holzer.exe	126
PID 460 wrote to memory of 2348	460	Holzer.exe	126
PID 460 wrote to memory of 2348	460	Holzer.exe	126
PID 460 wrote to memory of 372	460	Holzer.exe	128
PID 460 wrote to memory of 372	460	Holzer.exe	128
PID 460 wrote to memory of 372	460	Holzer.exe	128
PID 460 wrote to memory of 2340	460	Holzer.exe	130
PID 460 wrote to memory of 2340	460	Holzer.exe	130
PID 460 wrote to memory of 2340	460	Holzer.exe	130
PID 460 wrote to memory of 5160	460	Holzer.exe	132
PID 460 wrote to memory of 5160	460	Holzer.exe	132
PID 460 wrote to memory of 5160	460	Holzer.exe	132
PID 460 wrote to memory of 1048	460	Holzer.exe	133
PID 460 wrote to memory of 1048	460	Holzer.exe	133
PID 460 wrote to memory of 1048	460	Holzer.exe	133
PID 460 wrote to memory of 5536	460	Holzer.exe	134
PID 460 wrote to memory of 5536	460	Holzer.exe	134
PID 460 wrote to memory of 5536	460	Holzer.exe	134
PID 460 wrote to memory of 4252	460	Holzer.exe	136
PID 460 wrote to memory of 4252	460	Holzer.exe	136
PID 460 wrote to memory of 4252	460	Holzer.exe	136
PID 460 wrote to memory of 3064	460	Holzer.exe	138
PID 460 wrote to memory of 3064	460	Holzer.exe	138
PID 460 wrote to memory of 3064	460	Holzer.exe	138
PID 460 wrote to memory of 3268	460	Holzer.exe	139
PID 460 wrote to memory of 3268	460	Holzer.exe	139
PID 460 wrote to memory of 3268	460	Holzer.exe	139
PID 460 wrote to memory of 3612	460	Holzer.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5376	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Holzer.exe
"C:\Users\Admin\AppData\Local\Temp\Holzer.exe"
1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  "C:\Windows\System32\agentactivationruntimestarter.exe"
  2⤵
  PID:4780
- C:\Windows\SysWOW64\appidtel.exe
  "C:\Windows\System32\appidtel.exe"
  2⤵
  PID:4932
- C:\Windows\SysWOW64\ARP.EXE
  "C:\Windows\System32\ARP.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4108
- C:\Windows\SysWOW64\at.exe
  "C:\Windows\System32\at.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3936
- C:\Windows\SysWOW64\AtBroker.exe
  "C:\Windows\System32\AtBroker.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5376
- C:\Windows\SysWOW64\auditpol.exe
  "C:\Windows\System32\auditpol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\System32\autochk.exe"
  2⤵
  PID:4484
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\System32\autoconv.exe"
  2⤵
  PID:5968
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\System32\autofmt.exe"
  2⤵
  PID:5380
- C:\Windows\SysWOW64\backgroundTaskHost.exe
  "C:\Windows\System32\backgroundTaskHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Windows\SysWOW64\BackgroundTransferHost.exe
  "C:\Windows\System32\BackgroundTransferHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4292
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316
- C:\Windows\SysWOW64\bootcfg.exe
  "C:\Windows\System32\bootcfg.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5548
- C:\Windows\SysWOW64\bthudtask.exe
  "C:\Windows\System32\bthudtask.exe"
  2⤵
  PID:3620
- C:\Windows\SysWOW64\ByteCodeGenerator.exe
  "C:\Windows\System32\ByteCodeGenerator.exe"
  2⤵
  PID:2348
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:372
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2340
- C:\Windows\SysWOW64\CameraSettingsUIHost.exe
  "C:\Windows\System32\CameraSettingsUIHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5160
- C:\Windows\SysWOW64\CertEnrollCtrl.exe
  "C:\Windows\System32\CertEnrollCtrl.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1048
- C:\Windows\SysWOW64\certreq.exe
  "C:\Windows\System32\certreq.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5536
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe"
  2⤵
  - Manipulates Digital Signatures
  - System Location Discovery: System Language Discovery
  PID:4252
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\SysWOW64\CheckNetIsolation.exe
  "C:\Windows\System32\CheckNetIsolation.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3268
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\System32\chkdsk.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:3612
- C:\Windows\SysWOW64\chkntfs.exe
  "C:\Windows\System32\chkntfs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:6024
- C:\Windows\SysWOW64\choice.exe
  "C:\Windows\System32\choice.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3248
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3308
- C:\Windows\SysWOW64\cleanmgr.exe
  "C:\Windows\System32\cleanmgr.exe"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1360
- - C:\Windows\SysWOW64\cleanmgr.exe
    "C:\Windows\SysWOW64\cleanmgr.exe"
    3⤵
    PID:100
  - - C:\Windows\SysWOW64\cleanmgr.exe
      "C:\Windows\SysWOW64\cleanmgr.exe"
      4⤵
      PID:6912
    - - C:\Windows\SysWOW64\cleanmgr.exe
        
        "C:\Windows\SysWOW64\cleanmgr.exe"
        5⤵
        
        PID:3868
- C:\Windows\SysWOW64\cliconfg.exe
  "C:\Windows\System32\cliconfg.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4432
- C:\Windows\SysWOW64\clip.exe
  "C:\Windows\System32\clip.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5012
- C:\Windows\SysWOW64\CloudNotifications.exe
  "C:\Windows\System32\CloudNotifications.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4788
- C:\Windows\SysWOW64\cmdkey.exe
  "C:\Windows\System32\cmdkey.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5284
- C:\Windows\SysWOW64\cmdl32.exe
  "C:\Windows\System32\cmdl32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5084
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\System32\cmmon32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3284
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\System32\cmstp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4556
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\System32\colorcpl.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:716
- C:\Windows\SysWOW64\comp.exe
  "C:\Windows\System32\comp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1884
- C:\Windows\SysWOW64\compact.exe
  "C:\Windows\System32\compact.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\SysWOW64\ComputerDefaults.exe
  "C:\Windows\System32\ComputerDefaults.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4248
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  PID:1972
- C:\Windows\SysWOW64\convert.exe
  "C:\Windows\System32\convert.exe"
  2⤵
  PID:2940
- C:\Windows\SysWOW64\CredentialUIBroker.exe
  "C:\Windows\System32\CredentialUIBroker.exe"
  2⤵
  PID:3724
- C:\Windows\SysWOW64\credwiz.exe
  "C:\Windows\System32\credwiz.exe"
  2⤵
  PID:4204
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe"
  2⤵
  PID:316
- C:\Windows\SysWOW64\ctfmon.exe
  "C:\Windows\System32\ctfmon.exe"
  2⤵
  PID:732
- C:\Windows\SysWOW64\cttune.exe
  "C:\Windows\System32\cttune.exe"
  2⤵
  PID:2348
- C:\Windows\SysWOW64\cttunesvr.exe
  "C:\Windows\System32\cttunesvr.exe"
  2⤵
  PID:2128
- C:\Windows\SysWOW64\curl.exe
  "C:\Windows\System32\curl.exe"
  2⤵
  PID:5680
- C:\Windows\SysWOW64\dccw.exe
  "C:\Windows\System32\dccw.exe"
  2⤵
  PID:6020
- C:\Windows\SysWOW64\dcomcnfg.exe
  "C:\Windows\System32\dcomcnfg.exe"
  2⤵
  PID:3880
- - C:\Windows\system32\mmc.exe
    C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
    3⤵
    PID:1040
- C:\Windows\SysWOW64\ddodiag.exe
  "C:\Windows\System32\ddodiag.exe"
  2⤵
  PID:4424
- C:\Windows\SysWOW64\DevicePairingWizard.exe
  "C:\Windows\System32\DevicePairingWizard.exe"
  2⤵
  PID:3664
- C:\Windows\SysWOW64\dfrgui.exe
  "C:\Windows\System32\dfrgui.exe"
  2⤵
  PID:3492
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\System32\dialer.exe"
  2⤵
  PID:3968
- C:\Windows\SysWOW64\diskpart.exe
  "C:\Windows\System32\diskpart.exe"
  2⤵
  PID:880
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\System32\diskperf.exe"
  2⤵
  PID:4588
- C:\Windows\SysWOW64\Dism.exe
  "C:\Windows\System32\Dism.exe"
  2⤵
  PID:4876
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:1168
- C:\Windows\SysWOW64\dllhst3g.exe
  "C:\Windows\System32\dllhst3g.exe"
  2⤵
  PID:3492
- C:\Windows\SysWOW64\doskey.exe
  "C:\Windows\System32\doskey.exe"
  2⤵
  PID:5916
- C:\Windows\SysWOW64\dpapimig.exe
  "C:\Windows\System32\dpapimig.exe"
  2⤵
  PID:1976
- C:\Windows\SysWOW64\DpiScaling.exe
  "C:\Windows\System32\DpiScaling.exe"
  2⤵
  PID:2404
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" ms-settings:display
    3⤵
    PID:5256
- C:\Windows\SysWOW64\driverquery.exe
  "C:\Windows\System32\driverquery.exe"
  2⤵
  PID:6292
- C:\Windows\SysWOW64\dtdump.exe
  "C:\Windows\System32\dtdump.exe"
  2⤵
  PID:6396
- C:\Windows\SysWOW64\dvdplay.exe
  "C:\Windows\System32\dvdplay.exe"
  2⤵
  PID:6448
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    /device:dvd
    3⤵
    PID:6460
  - - C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      4⤵
      PID:6496
    - - C:\Windows\system32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        5⤵
        
        PID:6552
- C:\Windows\SysWOW64\DWWIN.EXE
  "C:\Windows\System32\DWWIN.EXE"
  2⤵
  PID:6540
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  PID:6728
- C:\Windows\SysWOW64\EaseOfAccessDialog.exe
  "C:\Windows\System32\EaseOfAccessDialog.exe"
  2⤵
  PID:6800
- C:\Windows\SysWOW64\edpnotify.exe
  "C:\Windows\System32\edpnotify.exe"
  2⤵
  PID:6864
- C:\Windows\SysWOW64\efsui.exe
  "C:\Windows\System32\efsui.exe"
  2⤵
  PID:6936
- C:\Windows\SysWOW64\EhStorAuthn.exe
  "C:\Windows\System32\EhStorAuthn.exe"
  2⤵
  PID:6960
- C:\Windows\SysWOW64\esentutl.exe
  "C:\Windows\System32\esentutl.exe"
  2⤵
  PID:6980
- C:\Windows\SysWOW64\eudcedit.exe
  "C:\Windows\System32\eudcedit.exe"
  2⤵
  PID:7092
- C:\Windows\SysWOW64\eventcreate.exe
  "C:\Windows\System32\eventcreate.exe"
  2⤵
  PID:7116
- C:\Windows\SysWOW64\eventvwr.exe
  "C:\Windows\System32\eventvwr.exe"
  2⤵
  PID:3492
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
    3⤵
    PID:5256
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
      4⤵
      PID:6264
- C:\Windows\SysWOW64\expand.exe
  "C:\Windows\System32\expand.exe"
  2⤵
  PID:320
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe"
  2⤵
  PID:6452
- C:\Windows\SysWOW64\extrac32.exe
  "C:\Windows\System32\extrac32.exe"
  2⤵
  PID:6496
- C:\Windows\SysWOW64\fc.exe
  "C:\Windows\System32\fc.exe"
  2⤵
  PID:6600
- C:\Windows\SysWOW64\find.exe
  "C:\Windows\System32\find.exe"
  2⤵
  PID:6672
- C:\Windows\SysWOW64\findstr.exe
  "C:\Windows\System32\findstr.exe"
  2⤵
  PID:2428
- C:\Windows\SysWOW64\finger.exe
  "C:\Windows\System32\finger.exe"
  2⤵
  PID:5364
- C:\Windows\SysWOW64\fixmapi.exe
  "C:\Windows\System32\fixmapi.exe"
  2⤵
  PID:6016
- C:\Windows\SysWOW64\fltMC.exe
  "C:\Windows\System32\fltMC.exe"
  2⤵
  PID:7036
- C:\Windows\SysWOW64\Fondue.exe
  "C:\Windows\System32\Fondue.exe"
  2⤵
  PID:4948
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  PID:6744
- C:\Windows\SysWOW64\fontview.exe
  "C:\Windows\System32\fontview.exe"
  2⤵
  PID:7140
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe"
  2⤵
  PID:7144
- - C:\Windows\SysWOW64\cmd.exe
    /c echo "18e190413af045db88dfbd29609eb877.db"
    3⤵
    PID:6244
- C:\Windows\SysWOW64\fsquirt.exe
  "C:\Windows\System32\fsquirt.exe"
  2⤵
  PID:6484
- C:\Windows\SysWOW64\fsutil.exe
  "C:\Windows\System32\fsutil.exe"
  2⤵
  PID:2788
- C:\Windows\SysWOW64\ftp.exe
  "C:\Windows\System32\ftp.exe"
  2⤵
  PID:6748
- C:\Windows\SysWOW64\GameBarPresenceWriter.exe
  "C:\Windows\System32\GameBarPresenceWriter.exe"
  2⤵
  PID:6628
- C:\Windows\SysWOW64\GamePanel.exe
  "C:\Windows\System32\GamePanel.exe"
  2⤵
  PID:6588
- C:\Windows\SysWOW64\getmac.exe
  "C:\Windows\System32\getmac.exe"
  2⤵
  PID:6832
- C:\Windows\SysWOW64\gpresult.exe
  "C:\Windows\System32\gpresult.exe"
  2⤵
  PID:6576
- C:\Windows\SysWOW64\gpscript.exe
  "C:\Windows\System32\gpscript.exe"
  2⤵
  PID:7052
- C:\Windows\SysWOW64\gpupdate.exe
  "C:\Windows\System32\gpupdate.exe"
  2⤵
  PID:6536
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe"
  2⤵
  PID:7036
- C:\Windows\SysWOW64\hdwwiz.exe
  "C:\Windows\System32\hdwwiz.exe"
  2⤵
  PID:7044
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\System32\help.exe"
  2⤵
  PID:6520
- C:\Windows\SysWOW64\hh.exe
  "C:\Windows\System32\hh.exe"
  2⤵
  PID:5388
- C:\Windows\SysWOW64\HOSTNAME.EXE
  "C:\Windows\System32\HOSTNAME.EXE"
  2⤵
  PID:6780
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\System32\icacls.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:6456
- C:\Windows\SysWOW64\icsunattend.exe
  "C:\Windows\System32\icsunattend.exe"
  2⤵
  PID:6496
- C:\Windows\SysWOW64\ieUnatt.exe
  "C:\Windows\System32\ieUnatt.exe"
  2⤵
  PID:6564
- C:\Windows\SysWOW64\iexpress.exe
  "C:\Windows\System32\iexpress.exe"
  2⤵
  PID:6532
- C:\Windows\SysWOW64\InfDefaultInstall.exe
  "C:\Windows\System32\InfDefaultInstall.exe"
  2⤵
  PID:5480
- C:\Windows\SysWOW64\InputSwitchToastHandler.exe
  "C:\Windows\System32\InputSwitchToastHandler.exe"
  2⤵
  PID:6940
- C:\Windows\SysWOW64\instnm.exe
  "C:\Windows\System32\instnm.exe"
  2⤵
  PID:6552
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe"
  2⤵
  - Gathers network information
  PID:5388
- C:\Windows\SysWOW64\iscsicli.exe
  "C:\Windows\System32\iscsicli.exe"
  2⤵
  PID:6764
- C:\Windows\SysWOW64\iscsicpl.exe
  "C:\Windows\System32\iscsicpl.exe"
  2⤵
  PID:6508
- - C:\Windows\system32\RunDll32.exe
    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL iscsicpl.dll,,0
    3⤵
    PID:6452
- C:\Windows\SysWOW64\isoburn.exe
  "C:\Windows\System32\isoburn.exe"
  2⤵
  PID:6880
- C:\Windows\SysWOW64\ktmutil.exe
  "C:\Windows\System32\ktmutil.exe"
  2⤵
  PID:6664
- C:\Windows\SysWOW64\label.exe
  "C:\Windows\System32\label.exe"
  2⤵
  PID:5204
- C:\Windows\SysWOW64\LaunchTM.exe
  "C:\Windows\System32\LaunchTM.exe"
  2⤵
  PID:3368
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    PID:6320
- C:\Windows\SysWOW64\LaunchWinApp.exe
  "C:\Windows\System32\LaunchWinApp.exe"
  2⤵
  PID:6844
- C:\Windows\SysWOW64\lodctr.exe
  "C:\Windows\System32\lodctr.exe"
  2⤵
  PID:6564
- C:\Windows\SysWOW64\logagent.exe
  "C:\Windows\System32\logagent.exe"
  2⤵
  PID:3168
- C:\Windows\SysWOW64\logman.exe
  "C:\Windows\System32\logman.exe"
  2⤵
  PID:6676
- C:\Windows\SysWOW64\Magnify.exe
  "C:\Windows\System32\Magnify.exe"
  2⤵
  PID:6552
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  PID:6412
- C:\Windows\SysWOW64\mavinject.exe
  "C:\Windows\System32\mavinject.exe"
  2⤵
  PID:6416
- C:\Windows\SysWOW64\mcbuilder.exe
  "C:\Windows\System32\mcbuilder.exe"
  2⤵
  PID:6324
- C:\Windows\SysWOW64\mfpmp.exe
  "C:\Windows\System32\mfpmp.exe"
  2⤵
  PID:3080
- C:\Windows\SysWOW64\mmc.exe
  "C:\Windows\System32\mmc.exe"
  2⤵
  PID:3004
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe"
    3⤵
    PID:6676
- C:\Windows\SysWOW64\mmgaserver.exe
  "C:\Windows\System32\mmgaserver.exe"
  2⤵
  PID:624
- C:\Windows\SysWOW64\mobsync.exe
  "C:\Windows\System32\mobsync.exe"
  2⤵
  PID:5060
- C:\Windows\SysWOW64\mountvol.exe
  "C:\Windows\System32\mountvol.exe"
  2⤵
  PID:6772
- C:\Windows\SysWOW64\MRINFO.EXE
  "C:\Windows\System32\MRINFO.EXE"
  2⤵
  PID:7252
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\System32\msdt.exe"
  2⤵
  PID:7312
- C:\Windows\SysWOW64\msfeedssync.exe
  "C:\Windows\System32\msfeedssync.exe"
  2⤵
  PID:7352
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe"
  2⤵
  PID:7376
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe"
  2⤵
  PID:7452
- C:\Windows\SysWOW64\msinfo32.exe
  "C:\Windows\System32\msinfo32.exe"
  2⤵
  PID:7492
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:7564
- C:\Windows\SysWOW64\msra.exe
  "C:\Windows\System32\msra.exe"
  2⤵
  PID:7652
- - C:\Windows\system32\msra.exe
    "C:\Windows\system32\msra.exe"
    3⤵
    PID:7844
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\System32\mstsc.exe"
  2⤵
  PID:7860
- - C:\Windows\system32\mstsc.exe
    "C:\Windows\System32\mstsc.exe"
    3⤵
    PID:7928
- C:\Windows\SysWOW64\mtstocom.exe
  "C:\Windows\System32\mtstocom.exe"
  2⤵
  PID:7972
- C:\Windows\SysWOW64\MuiUnattend.exe
  "C:\Windows\System32\MuiUnattend.exe"
  2⤵
  PID:8048
- C:\Windows\SysWOW64\ndadmin.exe
  "C:\Windows\System32\ndadmin.exe"
  2⤵
  PID:8120
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe"
  2⤵
  PID:8156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1
    3⤵
    PID:6856
- C:\Windows\SysWOW64\net1.exe
  "C:\Windows\System32\net1.exe"
  2⤵
  PID:2428
- C:\Windows\SysWOW64\netbtugc.exe
  "C:\Windows\System32\netbtugc.exe"
  2⤵
  PID:7380
- C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe
  "C:\Windows\System32\NetCfgNotifyObjectHost.exe"
  2⤵
  PID:6920
- C:\Windows\SysWOW64\netiougc.exe
  "C:\Windows\System32\netiougc.exe"
  2⤵
  PID:6296
- C:\Windows\SysWOW64\Netplwiz.exe
  "C:\Windows\System32\Netplwiz.exe"
  2⤵
  PID:6768
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe"
  2⤵
  PID:944
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\System32\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:4752
- C:\Windows\SysWOW64\newdev.exe
  "C:\Windows\System32\newdev.exe"
  2⤵
  PID:8148
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8072
- C:\Windows\SysWOW64\nslookup.exe
  "C:\Windows\System32\nslookup.exe"
  2⤵
  PID:8112
- C:\Windows\SysWOW64\ntprint.exe
  "C:\Windows\System32\ntprint.exe"
  2⤵
  PID:3288
- C:\Windows\SysWOW64\odbcad32.exe
  "C:\Windows\System32\odbcad32.exe"
  2⤵
  PID:6856
- C:\Windows\SysWOW64\odbcconf.exe
  "C:\Windows\System32\odbcconf.exe"
  2⤵
  PID:7400
- C:\Windows\SysWOW64\OneDriveSetup.exe
  "C:\Windows\System32\OneDriveSetup.exe"
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /permachine /childprocess /silent /cusid:S-1-5-21-308834014-1004923324-1191300197-1000
    3⤵
    PID:8236
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe /peruser /childprocess
    3⤵
    PID:8460
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exe"
      4⤵
      PID:10312
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      /updateInstalled /background
      4⤵
      PID:10700
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10700 -s 672
        5⤵
        Program crash
        
        PID:10932
- C:\Windows\SysWOW64\openfiles.exe
  "C:\Windows\System32\openfiles.exe"
  2⤵
  PID:4524
- C:\Windows\SysWOW64\OpenWith.exe
  "C:\Windows\System32\OpenWith.exe"
  2⤵
  PID:2556
- C:\Windows\SysWOW64\OposHost.exe
  "C:\Windows\System32\OposHost.exe"
  2⤵
  PID:3368
- C:\Windows\SysWOW64\PackagedCWALauncher.exe
  "C:\Windows\System32\PackagedCWALauncher.exe"
  2⤵
  PID:4840
- C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe
  "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
  2⤵
  PID:4296
- C:\Windows\SysWOW64\PATHPING.EXE
  "C:\Windows\System32\PATHPING.EXE"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6296
- C:\Windows\SysWOW64\pcaui.exe
  "C:\Windows\System32\pcaui.exe"
  2⤵
  PID:6780
- C:\Windows\SysWOW64\perfhost.exe
  "C:\Windows\System32\perfhost.exe"
  2⤵
  PID:7264
- C:\Windows\SysWOW64\perfmon.exe
  "C:\Windows\System32\perfmon.exe"
  2⤵
  PID:8168
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /32
    3⤵
    PID:6688
- C:\Windows\SysWOW64\PickerHost.exe
  "C:\Windows\System32\PickerHost.exe"
  2⤵
  PID:6332
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6944
- C:\Windows\SysWOW64\PkgMgr.exe
  "C:\Windows\System32\PkgMgr.exe"
  2⤵
  PID:6312
- C:\Windows\SysWOW64\poqexec.exe
  "C:\Windows\System32\poqexec.exe"
  2⤵
  PID:8164
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\System32\powercfg.exe"
  2⤵
  - Power Settings
  PID:6296
- C:\Windows\SysWOW64\PresentationHost.exe
  "C:\Windows\System32\PresentationHost.exe"
  2⤵
  PID:8236
- C:\Windows\SysWOW64\prevhost.exe
  "C:\Windows\System32\prevhost.exe"
  2⤵
  PID:8300
- C:\Windows\SysWOW64\print.exe
  "C:\Windows\System32\print.exe"
  2⤵
  PID:8320
- C:\Windows\SysWOW64\printui.exe
  "C:\Windows\System32\printui.exe"
  2⤵
  PID:8376
- C:\Windows\SysWOW64\proquota.exe
  "C:\Windows\System32\proquota.exe"
  2⤵
  PID:8396
- C:\Windows\SysWOW64\provlaunch.exe
  "C:\Windows\System32\provlaunch.exe"
  2⤵
  PID:8416
- C:\Windows\SysWOW64\psr.exe
  "C:\Windows\System32\psr.exe"
  2⤵
  PID:8476
- - C:\Windows\system32\psr.exe
    "C:\Windows\system32\psr.exe"
    3⤵
    PID:8512
- C:\Windows\SysWOW64\quickassist.exe
  "C:\Windows\System32\quickassist.exe"
  2⤵
  PID:8540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8540 -s 1988
    3⤵
    - Program crash
    PID:8808
- C:\Windows\SysWOW64\rasautou.exe
  "C:\Windows\System32\rasautou.exe"
  2⤵
  PID:8584
- C:\Windows\SysWOW64\rasdial.exe
  "C:\Windows\System32\rasdial.exe"
  2⤵
  PID:8632
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\System32\raserver.exe"
  2⤵
  PID:8688
- C:\Windows\SysWOW64\rasphone.exe
  "C:\Windows\System32\rasphone.exe"
  2⤵
  PID:8800
- C:\Windows\SysWOW64\RdpSa.exe
  "C:\Windows\System32\RdpSa.exe"
  2⤵
  PID:8916
- C:\Windows\SysWOW64\RdpSaProxy.exe
  "C:\Windows\System32\RdpSaProxy.exe"
  2⤵
  PID:9004
- - C:\Windows\SysWOW64\RdpSa.exe
    "C:\Windows\system32\RdpSa.exe"
    3⤵
    PID:9176
- C:\Windows\SysWOW64\RdpSaUacHelper.exe
  "C:\Windows\System32\RdpSaUacHelper.exe"
  2⤵
  PID:9052
- C:\Windows\SysWOW64\rdrleakdiag.exe
  "C:\Windows\System32\rdrleakdiag.exe"
  2⤵
  PID:9168
- C:\Windows\SysWOW64\ReAgentc.exe
  "C:\Windows\System32\ReAgentc.exe"
  2⤵
  PID:9212
- C:\Windows\SysWOW64\recover.exe
  "C:\Windows\System32\recover.exe"
  2⤵
  PID:4760
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe"
  2⤵
  PID:7796
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe"
  2⤵
  - Runs regedit.exe
  PID:7624
- C:\Windows\SysWOW64\regedt32.exe
  "C:\Windows\System32\regedt32.exe"
  2⤵
  PID:8360
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:8404
- C:\Windows\SysWOW64\regini.exe
  "C:\Windows\System32\regini.exe"
  2⤵
  PID:8428
- C:\Windows\SysWOW64\Register-CimProvider.exe
  "C:\Windows\System32\Register-CimProvider.exe"
  2⤵
  PID:6636
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe"
  2⤵
  PID:8508
- C:\Windows\SysWOW64\rekeywiz.exe
  "C:\Windows\System32\rekeywiz.exe"
  2⤵
  PID:7584
- C:\Windows\SysWOW64\relog.exe
  "C:\Windows\System32\relog.exe"
  2⤵
  PID:8628
- C:\Windows\SysWOW64\replace.exe
  "C:\Windows\System32\replace.exe"
  2⤵
  PID:8652
- C:\Windows\SysWOW64\resmon.exe
  "C:\Windows\System32\resmon.exe"
  2⤵
  PID:8756
- - C:\Windows\SysWOW64\perfmon.exe
    "C:\Windows\System32\perfmon.exe" /res
    3⤵
    PID:8984
  - - C:\Windows\system32\perfmon.exe
      "C:\Windows\Sysnative\perfmon.exe" /res
      4⤵
      PID:6596
- C:\Windows\SysWOW64\RMActivate.exe
  "C:\Windows\System32\RMActivate.exe"
  2⤵
  PID:5272
- C:\Windows\SysWOW64\RMActivate_isv.exe
  "C:\Windows\System32\RMActivate_isv.exe"
  2⤵
  PID:8996
- C:\Windows\SysWOW64\RMActivate_ssp.exe
  "C:\Windows\System32\RMActivate_ssp.exe"
  2⤵
  PID:1704
- C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
  "C:\Windows\System32\RMActivate_ssp_isv.exe"
  2⤵
  PID:9196
- C:\Windows\SysWOW64\RmClient.exe
  "C:\Windows\System32\RmClient.exe"
  2⤵
  PID:6296
- C:\Windows\SysWOW64\Robocopy.exe
  "C:\Windows\System32\Robocopy.exe"
  2⤵
  PID:8452
- C:\Windows\SysWOW64\ROUTE.EXE
  "C:\Windows\System32\ROUTE.EXE"
  2⤵
  PID:8664
- C:\Windows\SysWOW64\RpcPing.exe
  "C:\Windows\System32\RpcPing.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2844
- C:\Windows\SysWOW64\rrinstaller.exe
  "C:\Windows\System32\rrinstaller.exe"
  2⤵
  PID:10356
- C:\Windows\SysWOW64\runas.exe
  "C:\Windows\System32\runas.exe"
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:10452
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe"
  2⤵
  PID:10624
- C:\Windows\SysWOW64\RunLegacyCPLElevated.exe
  "C:\Windows\System32\RunLegacyCPLElevated.exe"
  2⤵
  PID:10804
- C:\Windows\SysWOW64\runonce.exe
  "C:\Windows\System32\runonce.exe"
  2⤵
  PID:10900
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe"
  2⤵
  - Launches sc.exe
  PID:10980
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe"
  2⤵
  PID:11048
- C:\Windows\SysWOW64\sdbinst.exe
  "C:\Windows\System32\sdbinst.exe"
  2⤵
  PID:11188
- C:\Windows\SysWOW64\sdchange.exe
  "C:\Windows\System32\sdchange.exe"
  2⤵
  PID:7536
- C:\Windows\SysWOW64\sdiagnhost.exe
  "C:\Windows\System32\sdiagnhost.exe"
  2⤵
  PID:1180
- C:\Windows\SysWOW64\SearchFilterHost.exe
  "C:\Windows\System32\SearchFilterHost.exe"
  2⤵
  PID:9576
- C:\Windows\SysWOW64\SearchIndexer.exe
  "C:\Windows\System32\SearchIndexer.exe"
  2⤵
  PID:9628
- C:\Windows\SysWOW64\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe"
  2⤵
  PID:9704
- C:\Windows\SysWOW64\SecEdit.exe
  "C:\Windows\System32\SecEdit.exe"
  2⤵
  PID:8036
- C:\Windows\SysWOW64\secinit.exe
  "C:\Windows\System32\secinit.exe"
  2⤵
  PID:11632
- C:\Windows\SysWOW64\sethc.exe
  "C:\Windows\System32\sethc.exe"
  2⤵
  PID:3904
- C:\Windows\SysWOW64\SettingSyncHost.exe
  "C:\Windows\System32\SettingSyncHost.exe"
  2⤵
  PID:11692
- C:\Windows\SysWOW64\setup16.exe
  "C:\Windows\System32\setup16.exe"
  2⤵
  PID:8156
- C:\Windows\SysWOW64\setupugc.exe
  "C:\Windows\System32\setupugc.exe"
  2⤵
  PID:11708
- C:\Windows\SysWOW64\setx.exe
  "C:\Windows\System32\setx.exe"
  2⤵
  PID:11760
- C:\Windows\SysWOW64\sfc.exe
  "C:\Windows\System32\sfc.exe"
  2⤵
  PID:11812
- C:\Windows\SysWOW64\shrpubw.exe
  "C:\Windows\System32\shrpubw.exe"
  2⤵
  PID:6920
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe"
  2⤵
  PID:6780
- C:\Windows\SysWOW64\SndVol.exe
  "C:\Windows\System32\SndVol.exe"
  2⤵
  PID:8520
- C:\Windows\SysWOW64\sort.exe
  "C:\Windows\System32\sort.exe"
  2⤵
  PID:12192
- C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe
  "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
  2⤵
  PID:12224
- C:\Windows\SysWOW64\srdelayed.exe
  "C:\Windows\System32\srdelayed.exe"
  2⤵
  PID:4732
- C:\Windows\SysWOW64\stordiag.exe
  "C:\Windows\System32\stordiag.exe"
  2⤵
  PID:8500
- - C:\Windows\SysWOW64\SystemInfo.exe
    "SystemInfo.exe"
    3⤵
    - Gathers system information
    PID:3984
- C:\Windows\SysWOW64\subst.exe
  "C:\Windows\System32\subst.exe"
  2⤵
  PID:3396
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:4708
- C:\Windows\SysWOW64\sxstrace.exe
  "C:\Windows\System32\sxstrace.exe"
  2⤵
  PID:3412
- C:\Windows\SysWOW64\SyncHost.exe
  "C:\Windows\System32\SyncHost.exe"
  2⤵
  PID:5952
- C:\Windows\SysWOW64\systeminfo.exe
  "C:\Windows\System32\systeminfo.exe"
  2⤵
  - Gathers system information
  PID:11272
- C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
  "C:\Windows\System32\SystemPropertiesAdvanced.exe"
  2⤵
  PID:11340
- C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
  "C:\Windows\System32\SystemPropertiesComputerName.exe"
  2⤵
  PID:11408
- C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
  "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:1828
- C:\Windows\SysWOW64\SystemPropertiesHardware.exe
  "C:\Windows\System32\SystemPropertiesHardware.exe"
  2⤵
  PID:11832
- C:\Windows\SysWOW64\SystemPropertiesPerformance.exe
  "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:12176
- C:\Windows\SysWOW64\SystemPropertiesProtection.exe
  "C:\Windows\System32\SystemPropertiesProtection.exe"
  2⤵
  PID:12260
- C:\Windows\SysWOW64\SystemPropertiesRemote.exe
  "C:\Windows\System32\SystemPropertiesRemote.exe"
  2⤵
  PID:12272
- C:\Windows\SysWOW64\SystemUWPLauncher.exe
  "C:\Windows\System32\SystemUWPLauncher.exe"
  2⤵
  PID:12284
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\System32\systray.exe"
  2⤵
  PID:10060
- C:\Windows\SysWOW64\takeown.exe
  "C:\Windows\System32\takeown.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:10068
- C:\Windows\SysWOW64\TapiUnattend.exe
  "C:\Windows\System32\TapiUnattend.exe"
  2⤵
  PID:11464
- C:\Windows\SysWOW64\tar.exe
  "C:\Windows\System32\tar.exe"
  2⤵
  PID:10144
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe"
  2⤵
  - Kills process with taskkill
  PID:10172
- C:\Windows\SysWOW64\tasklist.exe
  "C:\Windows\System32\tasklist.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:9504
- C:\Windows\SysWOW64\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe"
  2⤵
  PID:7688
- C:\Windows\SysWOW64\tcmsetup.exe
  "C:\Windows\System32\tcmsetup.exe"
  2⤵
  PID:11948
- C:\Windows\SysWOW64\TCPSVCS.EXE
  "C:\Windows\System32\TCPSVCS.EXE"
  2⤵
  PID:12028
- C:\Windows\SysWOW64\ThumbnailExtractionHost.exe
  "C:\Windows\System32\ThumbnailExtractionHost.exe"
  2⤵
  PID:12068
- C:\Windows\SysWOW64\timeout.exe
  "C:\Windows\System32\timeout.exe"
  2⤵
  - Delays execution with timeout.exe
  PID:8696
- C:\Windows\SysWOW64\TokenBrokerCookies.exe
  "C:\Windows\System32\TokenBrokerCookies.exe"
  2⤵
  PID:4460
- C:\Windows\SysWOW64\TpmInit.exe
  "C:\Windows\System32\TpmInit.exe"
  2⤵
  PID:1788
- C:\Windows\SysWOW64\TpmTool.exe
  "C:\Windows\System32\TpmTool.exe"
  2⤵
  PID:6684
- C:\Windows\SysWOW64\tracerpt.exe
  "C:\Windows\System32\tracerpt.exe"
  2⤵
  PID:4816
- C:\Windows\SysWOW64\TRACERT.EXE
  "C:\Windows\System32\TRACERT.EXE"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1012
- C:\Windows\SysWOW64\TSTheme.exe
  "C:\Windows\System32\TSTheme.exe"
  2⤵
  PID:11084
- C:\Windows\SysWOW64\TsWpfWrp.exe
  "C:\Windows\System32\TsWpfWrp.exe"
  2⤵
  PID:7460
- C:\Windows\SysWOW64\ttdinject.exe
  "C:\Windows\System32\ttdinject.exe"
  2⤵
  PID:7664
- C:\Windows\SysWOW64\tttracer.exe
  "C:\Windows\System32\tttracer.exe"
  2⤵
  PID:8828
- C:\Windows\SysWOW64\typeperf.exe
  "C:\Windows\System32\typeperf.exe"
  2⤵
  PID:5272
- C:\Windows\SysWOW64\tzutil.exe
  "C:\Windows\System32\tzutil.exe"
  2⤵
  PID:8572
- C:\Windows\SysWOW64\unlodctr.exe
  "C:\Windows\System32\unlodctr.exe"
  2⤵
  PID:7276

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv pqXnsLwyDEWIq1OGi3jKBw.0
1⤵
PID:4812

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x4c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:5948

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:6024
- C:\Windows\system32\dashost.exe
  dashost.exe {20aa7c90-833c-42e4-bca74a8dcb3567b5}
  2⤵
  PID:2592
- C:\Windows\system32\dashost.exe
  dashost.exe {e390af30-c1b3-4e26-b8b0ced51e686248}
  2⤵
  PID:676
- C:\Windows\system32\dashost.exe
  dashost.exe {f3fc8d14-6420-4866-afaefaf5cb946af2}
  2⤵
  PID:5512

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:2336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1928

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:4396

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:6168

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 8540 -ip 8540
1⤵
PID:8780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 10700 -ip 10700
1⤵
PID:10852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5fcd6d0e6f0b09f978a568efa9dafa66_dfb05040-5249-4f24-86ce-02107243e94b

Filesize
2KB

MD5
a93d1c67bca586b5a0ba2b4a29504d5e

SHA1
ac73e70f53fefd2f166b0ea73586de2714635047

SHA256
5eb50d20fbe9fc7fb3eaa0499fd9f8a511098dc02548c2db1615185e8d8919d6

SHA512
035dc52ff8d08c4e7a0c05f194521e566d6ac0f61763adfc39daf73db52eb92ecfcf89648c15a4343de863bc27b961f28f790005114b6d57e53496fb627f6c16

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5fcd6d0e6f0b09f978a568efa9dafa66_dfb05040-5249-4f24-86ce-02107243e94b

Filesize
2KB

MD5
afae6eb1f71f8602cdf067982430284d

SHA1
bd0b5b7cc4b0cf1659f6aa585c2cfd40bad31ed0

SHA256
ec1a403d4b3acfbceaaa27bfaba449276a477d7ff13497ab08459a3020f586a7

SHA512
a737f2c1b070ca8e6b6dcabef4dc42359be36c5f2575b0a4a682b3b9baa4fc9da492de8a5fdbd3db0044533edad0d31da00588b6f5a31a00443bb3ee345ee8f0

Download Submit
C:\ProgramData\Microsoft\DRM\Server\S-1-5-21-308834014-1004923324-1191300197-1000\CERT-Machine-2048.drm

Filesize
28KB

MD5
2532097054793fec467c50a5517d5fb4

SHA1
5139dbb391f52c6cd5a19a6d06347b1cac05c9ad

SHA256
ac8b5da51e1cf96bae688a835507e0af0d66b0f30ce09e9666c1261d183d3529

SHA512
6cf598beca579d34ee52aa5e397ed70d837f53c5937d06f320437dc28a9b8ae755fad3969999ba528bb99ff1ee0b14b42c5497bcb8feca48682b9ac3f4f1e45e

Download Submit
C:\ProgramData\Microsoft\DRM\Server\S-1-5-21-308834014-1004923324-1191300197-1000\CERT-Machine.drm

Filesize
25KB

MD5
69247290309ffcf15f5af1deb8749e70

SHA1
f8dfa35469d0cd607d872c80bf4a4e55aba4cf76

SHA256
cc665888fd631994aa5dcf0ab706f3dfbf1cc5e333e60690daefae09b4bfcfcd

SHA512
f3fe819c524feb912af2f8d3c05060275bcbd7cdd2e8c84e4f542872d9c72cd5e550ad35bf2b2c5332550a1de369622b71921bf24c2576a14c23f9753fa1261b

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\DRM\CERT-Machine-2048.drm

Filesize
28KB

MD5
7340737cfe7e3fc5c14d45181ec3ccc7

SHA1
ecc1e8a003f1d97e960813f7147b184e0e2e252c

SHA256
7115a5c7ea07aee2d32bb4cd5b5678c9a84d13f2fb1bdc01828cd15cfc6fb124

SHA512
2fe2c77148f01eb407bf1131f8e5082634281511da78282f9bbc3f0f55e069201ca21595211959aa9a7ef3b79fd1373514f1b552d5a71acb96df50331eb5d08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\DRM\CERT-Machine.drm

Filesize
25KB

MD5
7e3604536b9f46a5827511bebf901667

SHA1
43a238b5e3a8727fbb60cce134f9649ed0211a03

SHA256
87b8007f7fbcdfa427d76a52cb7a799fa1d27c2d9db85292e708d6c89eee3d04

SHA512
6da14cd7601379ae392a761feec645ff39a4b08aa79cb15596725f56233ba9e10aed03fabb6999009dafbdb325f8259c9db5baa655e074015f687aab3d397a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
768KB

MD5
5b4b3b43559c25c4366bf9a530c37e62

SHA1
c3a790816465cdb7d66e2a92b4afcbb5ceef7874

SHA256
2f0e0df5fc29553938acbc4e3757f8644fa43b79d8e4b86795dbc4839b511174

SHA512
dad63048e2819108dbaf544b2a247f7f34f844d98c30daac595bc53eac33b0ba9455d41554a5c5dd49672b69426f8daddc5431c0dea337feac346a56ec0769a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exe

Filesize
299KB

MD5
f3d599fce8eded3bdfd228836270813c

SHA1
42dd75022856626b914a9add01c48d5e206d6eb8

SHA256
24e76fe67435e9c7c1aa9ec22d736de3873fbd2e880d8ae716dffec0e146fc53

SHA512
aedd379d24c2f5a1183453a736fd3d24830424c9deb13f8b959107ee14096a0edf2c3295776bf2228b428c91f6c3c4a4cb95c71de066843e54544f0371a77266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LoggingPlatform.dll

Filesize
1.4MB

MD5
e6ad7126fdb9e7c6a3af321e921098b0

SHA1
75b0783d503842e042f6caf3b84345cd7fee4b84

SHA256
eec0d50bae5bdb5b3899d2dbb5c90ac95163a3dceea259523a08eb1c8be38dbf

SHA512
86a8bbf24d225a0d5aa7bd1d616dfe1e31adb9fb914801d10ccd9df91b880e0ef5d0d2f512ecc21d4c4c7615afd44ac3ab80149d7ad0cf164daf8f2cbef1bc57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
652B

MD5
433d5c9bfe71c70e6bf1f18b7da188f4

SHA1
54f9253621c725ea644b3c2a0a11b0ff6bf8e44c

SHA256
3ba55b200b58756480679cf8b6b98d7b3570f8dfcdb39186f721357da8d8172c

SHA512
49f00fbdd9dfc542a2ac844520d34fdeec927b932fad9910f189c9171d50aa4037f9cfb2e1de778e12ed964adae6d3b3aed60555fcc50712539f2e69fb44da8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
848B

MD5
f837c5aa1f38d8241b28b92d15eebe75

SHA1
9b11b235c11cfce25f1325eba753e469b5d5e74f

SHA256
cc134daaa737e48e0f37ff5bece33e23484c47b55cb6571f3283e73e14f54334

SHA512
c79f1fb011e21555db8d0fb249d37b1cfa31d2c35d1e7e0417035cbaa717174d63d5a535fbaf1578625c50cf2417dae1e0a97e06e8799e53a8af951c1cd6ff19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
990B

MD5
262b8476753f83b4abd01017dcdb061f

SHA1
eb35a51e2be3fb5549623711115fa3a9c67128f4

SHA256
ef6ac1caa0aebe3d94ba86856fd69d68f370588a678b1b6f9f90c83b161d87ab

SHA512
17dc2b496cb655d4cc5e4422deb1eb1d8657f7bb99f85f442dc9c21b866bf54b4b35c09954f27ff36236125db80d4165ed7d665780c9caea8b1df42860bac148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
1KB

MD5
a2184c1047a0c1fab0f465f2355ccf92

SHA1
95ac7cbcbf75a35c8f0cf0c8096bd885cd510af8

SHA256
eb846e01333b2dd4ce1c2aeccbd6d90874f976948b881aa362e13593a254ad70

SHA512
c49cb5d8327b92fcc6032f2f7e14a78399279c07deb5c2a3e60558fd91f702f5cf12392a6ceb818478dfea41cadf76b8e632492581edee19b5bea95f2cb36700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
3KB

MD5
1554dd2698b5f2d81445704d4f4c58ba

SHA1
a1d39f0d37ebdd29ce14dc6fbd276eaaaa352c98

SHA256
f31eb37b641e0ab8782ef294adb57d31135e5aad8838c06f8fdb0a86929e39c4

SHA512
d4707fddb7744101079723198fe8df4db5463d3b07db6c4558ef7fdca8d4550022fcf576e38e213a577c91be5662f816a5d00e36d805b0320494320944176f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
662B

MD5
f0fd948f7e9d30f657c55490c70ee327

SHA1
2685a31eb19728cc8d9fd66378953cd114b7200e

SHA256
24685ca3546f1f95f9e9beca29534e134e69b031923e45723558201762bba147

SHA512
2b96bc7efa363b89d2f457886d63550bb015a89489bda09618cea4f168925e1168a51916ab9f79191e1b308c67724d88efd9f705d67a1d626ef11b841e85ed06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
871B

MD5
5588d3464d135bda19ecb5f6284f1aa5

SHA1
d2efeeadc301743f0615c7f1445f081b37dce839

SHA256
2aa13d9ab91c6e04292a1d4e635fdd337088ccd8cebece9880c5fc67ced53faa

SHA512
a3f2f74e526fc93961c5584137558cab8166f1784f2a41b8e73e3ab94bcb1280185166702580a2a270331aacb835a75126b5fa34c93e6837f9262ef626bd8980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
800B

MD5
748e43b4da7f7fc91a98534f1c90c32f

SHA1
65e9b6981252ce4d00b75b3b14ac67f0d0794f4a

SHA256
4eabc71f16afaaff190302a2656fc9faf542632b75f8294c721d008b9a51b46a

SHA512
fa590cadc4d7dee399d8abbd71381f39714fe73dc055db6bd8bfe4a8c7d29abd2288f2300ccbe0f01cb82b6eabaf01abf06fdc8a8508bd2bf801487df7165e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
1KB

MD5
d69b68d21ed0c659704bca13218267c0

SHA1
9479f47cbafe1270453ce9dbe87b4617d7586b85

SHA256
78aea1a92cf325b6f2b1c8d2438122a3a38396ef28ccf4e6a77896bd1d04a31f

SHA512
ff1980d4e4a82ad781ad7e65554d1380389e4466f9603d4f9e3f890796be292947af0b3981cabbc0550d561ec1825b121b2beda43ce618f62311b075cb44ee3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
3KB

MD5
28005183d565fd56057ff53c2271c256

SHA1
ed6795fdabf969b986b6d754d4c677ef6204149b

SHA256
ecf4e09027031c0dc5f66cbeef68a96d59947c6eff969fef9908ddbbf9cdd3e1

SHA512
44b9f6d2dbaca794525c5098074fd00d6924ea3b939983acaf30523f0c3d547f6e21bab87c03221029c43a5952347f872d0d1a925f1fa29d5d82d09131e7ce38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
413B

MD5
52f5be0f8d3c5150b591a4656a50d6b0

SHA1
f5d2756286e241205e0a9f4fea34752f4574047c

SHA256
b00b6a09f4aa9dfff7026ff9c2ea5ec0236b05ae8b99d0cdb35c3a1ea78a5d2d

SHA512
0bae80db35f6c37658584b41f4832f74e576d38e1fe426dcbd37d5304267a63e2be92e447313d420e487834eda8a4145d030cbeb1ae3f4e10ec0ba6817a24f1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
525B

MD5
bda3baf91f230bf2b10e2e019abc3eff

SHA1
33a97b6c95a56aa1ae908b96f56ab798676c7f06

SHA256
d2d097d39687ac886d8836a553f8d1b581723094ae5539a259c0259585d99475

SHA512
a5d4ee987f6ba09407d89ac3d0fb99f05c12f039b50565cd495ab1d2bed69650f6295f7b22a715a464325c494d9d8ef9c4906e3902554468e2f3dc3681914a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
591B

MD5
8a85aa646709ae9d2681f83ed85d14f2

SHA1
61e8275e4bb8e653df6e4cacb287cd5ecb037a05

SHA256
35fcc1231bdd1bf82feb86777ec5ec982515b188cb9c52ddab9ff43d9fab0366

SHA512
701786cd56afc64c8c2f6e2bca0b933a69200de79885de9a45d98af334a44c867cc24b90feef6f88217a120531e76ce02140decbd4b7d17495ad237c31719bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
803B

MD5
5be57d0496257ec3b690a85c7afeea95

SHA1
8acfc6b3cfa72773f25cc7e3541fef623599db14

SHA256
3ec8cf118d4eef4c6af68cb5c679b71991c37e5a0f72ad9c3bf4027afb4180ff

SHA512
2f7c6731dbb37fb0f405bf19d888f6210f5d7bb8f335959a4e30f1ce95dc5782a019b889c2b99a56eebec737e85ee9a3293376e3386fb13070d84e0e67255140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
1KB

MD5
80272785b68cee17562300786f0fa59b

SHA1
32da39d8d8075141fe76b0c56ed2ca0e7ce23d29

SHA256
bb89239434644337760c382db336f80e16494d12d3e9258985da74b734f423a8

SHA512
a3b5042a028f377cade6ca0d700b4ce18aaa0ccc0c2695b366e45f9b406deab411c4d7b13c0c3f93e1a66e46a85abd15064419535a04b7361311e8416fb996af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png

Filesize
416B

MD5
1af06c14baf9292118292d2e86e10f4b

SHA1
4e2e46da804bd3b330caae6a1cb5f487fe800806

SHA256
ca3f45e98fcd7a144623b75b6c8ed907c00e3d410627eb0091f01423dbac8dc9

SHA512
b6d79ddf96c09c9b2ebdcdc3eb34ac63b235eabfe61348a9173045dcda211d333884f63a1c77b5ee50758aaadd87cb3edc1cdfb74d91520e37dbcbbfc37aedb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png

Filesize
532B

MD5
b7d80eea5ec49b3620d1e15d81912ee4

SHA1
281679676d582ba6128e3766439e0d6168f98319

SHA256
3a50da1c6a1bfe9f6acc0594b740f5544c6304c1aabbdf4d04cee367fb811150

SHA512
081c928eb8b980d7ceae08e2d78894f9a8e6c5fc280a8f479cfe7e12541a39523002121cc39ae0fab7574cd23a9d652a21f17ff81e0febb2467bb95284b98a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png

Filesize
597B

MD5
0e3d8f803ad480d38da0a3b925c02106

SHA1
2c4490c8c711ef835d98ebec3a4e27aec4fc3f26

SHA256
225d709c0e85f6e37c9f2625de07c4572a945f165d80e14a50906927821064b1

SHA512
672c885f804d6ccb743a376a6c9d26d9edac7730ef07e6620cdad9a446529ecb94613cc06a32078f309f9cec740924cebf54bc73f0b372480a46130a6dd6f05f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png

Filesize
814B

MD5
40feb212faf4dcf564629e23a310ffa4

SHA1
5c70a8387c009f7968380df70efd758f7de25cbb

SHA256
fb0dacbd8567fbb468a506ab8b33afa95d555da74aef8eb1eccbf928216e8c26

SHA512
ca8e4f58fa8185a90911f03a99156288844e4962221c66beeab8c9055fc59a85e8109ca1756c4278c874cce3be5b4f62f75f9e48eaf95af3ebdbd74f36958f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png

Filesize
1KB

MD5
a85addc7df73937053d80fdfaafdb76a

SHA1
ad204a72072c30cda7576af196a75f36ebdb9664

SHA256
a1a9aef9837e8a555ae95338fc358fcf24a8accc2aaf6e49b8fec60818a7216e

SHA512
6bbf91b3d418df04d83ef378a48d8caf2497eb980277362d7152cf3922466104e1f529a86940bc701428011904de4bceef69074a2d456e13335e18cacf29d91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\MSVCP140.dll

Filesize
438KB

MD5
a1b3963e1766c5266d94b171a4595cee

SHA1
9283a813774f2e310997ba08bca9ec96282a85d1

SHA256
0f5aeae55bf6d7b37e5582ec60bbdb93bf24adf648f9fa342cdba1b0a754e403

SHA512
ef0a3cb33902eb0dd3d80b688f5e23b4192ebafb131b30c56f27221412daf72b40c3e17670ec1ca8209775369f93bf66a3a75ae5acff45e629e732464d3972b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
ddcbc6ab58ff4f81ace430e932179977

SHA1
e7bc8b2b319dafae40ad9b4f49de305a783a2326

SHA256
2647bc7d5d80e3a1323793d3125cc845ce067a7bef4521cf8dbe8955f9587135

SHA512
224f885d1f8abde766b2033e4bb44699739ea8ab5be59c2d0b82183623e83ba403884d6416395ee621ef2389dd1708d20ece4dcf2c3b4646793561bfc9d682fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDrive.exe

Filesize
1.4MB

MD5
cf1a1b2a6f227d5b06ab0b3c8b88618b

SHA1
d307e14b74c0f583291b44823c37d7787e562cec

SHA256
1fd250a499b2912b1acec31a03caa32f1b328f2861e1383e94f23386f724fb36

SHA512
bbfa835dbf598fb31ee0ee19bf0d3164794a9accccd79854487611341783e366b69322e3e533824076380dd6dc72e4cc5d69455fe49305da6fb4fcff79fa469c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveStandaloneUpdater.exe

Filesize
2.4MB

MD5
bdff068c4c23e586a2013708d6a75c9a

SHA1
57794a32e7a327d95c1764de5ee1b54b7201d1df

SHA256
7c965138cd0aac6920c9c7e2e68f2432a0f32f6b6cc0210e44e4ce7ca4b2c59b

SHA512
b93791fe8036a1ad7fb3f1078946d78c464d121614a274a47640b85c53e15318eb7e81794588c50bdd5068305ee1faacd7a57043e046f6c714d9bca2dfef64cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\Resources.pri

Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\Telemetry.dll

Filesize
185KB

MD5
e3b1f6e3a992a1bd594bdbef574c20b3

SHA1
8e83a393d389a867c6bc869446d38a62d43227a3

SHA256
46110ff26021b5a642abd7bdd8b6077508f0dac8257bffa6e920ceff733e66e6

SHA512
54b08fb62c4c38a1f58bbb61669ea0070d5fb54dafccfdd340186d6588fef738ecb02c7a1df7dac8b02742697095a591af1ba0986de268c97dbd6d54a4870705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\UpdateRingSettings.dll

Filesize
221KB

MD5
b988864b50b4dedda05fa516fb18d137

SHA1
ae2e6183210311369917c3ea1ac6a7a97b9cc886

SHA256
c0c247ac862280118fb110a4af9da619913c60c45a0feb14ad08f949a1e0db9d

SHA512
7208bf83d3824cb7a91608fbc4f86ac07607c9e97c92476500a1e4c4d58613b95d341df8ac7c2b4df246b72fadef0df4dea52f0fdb140b8c9b2102ab63b36de8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\ucrtbase.dll

Filesize
1.1MB

MD5
92771d1c18fc0ecc364c0e3e32e0f69f

SHA1
880db04c64c9a3c8557de636017c3e7d3d210b8f

SHA256
13209221c53529703781f8e3e5f9cea79d21961cd93bc6c2eff950a99623f6fc

SHA512
598bbfa43e5e87bf8b08704502acbc776cab4ab115170bc33b08b5194eaf9dff8a0a692d7ae3a17f6340f5da2afb01658fb5186a4776a61d252293849cd55012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\vcruntime140.dll

Filesize
77KB

MD5
f686e2331a83d20798cfc2734729e531

SHA1
c7e6398f5a735039baabf22712c5a8aee5a945e1

SHA256
535f74f446a1b7b53da24a742d02369cbcc609003a6b4a8175491aa71c5481b4

SHA512
30ea339ec845dbc9aa7b323ed25e516cb04f3e17789cd28f54646c82395f0b42eb4a5d4d4aa06c4d39b9602c37590b31ca5c0bfa22a514a73ec45e39c0d8e31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\userTelemetryCache.otc.session

Filesize
20KB

MD5
269de2cc894157b7dbe164f4d48e408d

SHA1
a4542bd4d2e3bef3638d104a3155af0c2550c157

SHA256
4eeaec805f00d33a284c2a70c69eec99f59089424be5e10d0dec8cd05e83aef8

SHA512
ad66ec3f76b7593b24de76530138b6a61c87e0c525a5f9add69b2f173cfb0d4490e886fd33610cf51e63c9a63ec63190ca7a7e1d66e6ac95aedbd6a9a3dbfbc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Resmon.ResmonCfg

Filesize
17B

MD5
407aab8c27cf7081eece071c90a65b83

SHA1
d9ec9f9d3768fb1c3646284d77f519f74ee6b8cc

SHA256
568269850dbb3f5f52e0e38e3c0b29be06c70c58fe425b39746f5ccefdd668a4

SHA512
88a35933e87dbdd298577bdb33afb1f878dc68f43e7916c4102e893fe04812a9522ed66755df03105fd199fdc3c6bd197051c22b2ea2765d0adba5c375ddd35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp284E.tmp

Filesize
25.9MB

MD5
bd2866356868563bd9d92d902cf9cc5a

SHA1
c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b

SHA256
6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb

SHA512
5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
0eaf3659a450cc1f45d8f3d7717d7baa

SHA1
0b67b70765e3a9bea00b9710721c118aebda85e5

SHA256
5d0c2097006cb134a8a37ff8022ba46b629f228d115ff7c0e38eb7a0c4b1f39c

SHA512
2a7c674e55b33378a7802999f2f16e79bdd1d7c5f8b5529b309d215ca1066b2a6de1066ebbac3eb312234ae0a83c452f28208058217635e019a776c8c36c49e9

Download Submit
C:\Users\Admin\OneDrive\desktop.ini

Filesize
96B

MD5
c193d420fc5bbd3739b40dbe111cd882

SHA1
a60f6985aa750931d9988c3229242f868dd1ca35

SHA256
e5bfc54e8f2409eba7d560ebe1c9bb5c3d73b18c02913657ed9b20ae14925adc

SHA512
d983334b7dbe1e284dbc79cf971465663ca29cec45573b49f9ecdb851cdb6e5f9a6b49d710a1553bdae58c764887c65ba13fd75dfdd380c5c9ef9c0024aa3ef0

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
49f2577ff7ee68c0fe0c1ebeb1578784

SHA1
07a5c6261ceab8d148f0d70e03dd4c61051c9f1d

SHA256
86e761ef960d4f6cadbfb02c8039f724c45b25f0c7a234cefa366c7a37a22fa5

SHA512
8c73774d3d92de0ebf13f76df5a3dfca267feb2d8d3335107166544e4ed0b4929f883b2b1777d50c2b71aaac0417d093ac2b0c43f1cebb3d1e52d1691d351b6c

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
18KB

MD5
055d6a8125bc215d95115d36e6ebbf8a

SHA1
fc714649cc75300d11008c10e51d54fc830fb9c6

SHA256
eabb8873eb040675eb6fc3c3734c9d4cdc832b04cf667464f21d0caf2944a108

SHA512
aa7a6deb3b42241dd10e7a6ae6bfaeaaa67da9cc20cfaf7fa98f317c62860b7e367c22ea24ff710f2cfd4408cf8121fe2ed511753d118b36932ee4b8bc3b440b

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
11KB

MD5
32a85017e5141256495e0f60af3f11d2

SHA1
696de49147fd5328bb4dfcfa64c4c291e289f665

SHA256
040d2d8303d979176a0d4ba79456da552c898bb0fa1194e7320b26d0f29faf51

SHA512
98fdd135703b5a910e4311f3391c477cf863c569ffc2d9da8f9bc3acbdad50fe58ff46e532e5029f47bbd9b5da2a64c08e19139dd5e2c0d665d40827db6e0916

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
14KB

MD5
eaa0533bf3fafafdfa340e35297952a6

SHA1
e23e3855dbdf36e3a3cf8edce282587b7e5d4e2b

SHA256
033e0293f40a088107a3d3e8d8870f0c92f848adaa69ae13d87e19004e87a9ee

SHA512
e6dd82aa4d866e528b1fd01d38b6cfbb21f23d9b14a95b05bdbeadc379b8308e19a18ad4f005162efe62da90695d8afb4db30a809f6aa24c07d1bfc9f69ca501

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
16KB

MD5
b356ce0e95c9b7807f20b741d581513d

SHA1
da53a216298116ed84beecd7b48ea47ed8c09e76

SHA256
29048ad495f6f77223d5a12fa0ce2a085a1dbfbbf7af4b9bd8f67ad242314851

SHA512
51728b62f16d0c60c1f74072e478d4775cf77bf9afc2a3b94e3e9151fc9b93f628f64e02f7db2aabc004d4aa7009094c8274074e2ad6f3d8e495cf11fd2fe6b5

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
17KB

MD5
8efc8e893b55890c1141a22822a8faa4

SHA1
0632cc06d0308b57f1623645dbb90aadac59502a

SHA256
f79f2616ab403033f35cd9384ce29e7bb6732b79cb46b58721572bcbedf60c29

SHA512
172bcebe9e50041b295ed0fb370d42b31c3eacbf77d4804609311f21c4a6059e245e7ca1cadf2a24578bb70b035641951388f79222c56ae9f4ce91be33ad52a3

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
12KB

MD5
adcff33d5775b57af03a84d387699ee0

SHA1
06f912d73a79ac6a98d5d3fd6111fa87b71b3fcf

SHA256
28ea6b52354f71444fa432b14a2200b0c2c1ea509a263399ac898239116b0fdd

SHA512
7e61c56250ef1617bf80304a4d988ad10d7d12b91f5608b177190d27adee0daba4b4bbbd4c11a53083c8eb63eea739c4c3a4530d7f710b60d8baeb95c8ed192e

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
14KB

MD5
62112ca85f1be2c5fced2f2da6397064

SHA1
7fd4de28994dd0acf89c4e22e85b5f99630f8dbf

SHA256
e3a4c3e6cb7bb3a579baaef8758e8e9dd6e722f824534ebbb0d12bf50470d646

SHA512
f269cc2dbcff682f7009aad51f86dff0fc7c148ed37a23e9896b814b5fe2923f1e9702848bd820677e460d899c21bcd67dcf0897da7d676633bf1ac5d693aba8

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
16KB

MD5
3a0b7fc28ac550bbe18431116ca60f59

SHA1
998a10b6371b0e258cbe41821bcee391b313d13f

SHA256
c7ef0f727e4bb634ee8e1bb44e6dfa8a4b4458f765448fe8059b95943d973947

SHA512
01b2c1330ac45ea9748f373f254316a066b40433c634274916fe0f029008c89594570537504462c78f37bc64891bc78fd6e67a32117b715b544e3ddeeef4d547

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
44KB

MD5
24b680c58c1fa2227752bfca2ce56565

SHA1
f087e1d14eb185deb9bd6a02453339463d52d8ce

SHA256
28ad594f19f5799eb36cad374e93b023561d4a3a6d547b8e5132f29220e9ec6e

SHA512
9faa715751351f4e90ae98f472f6f2bd1d95a3af9b6042d8faac10fd730fffac3c1c1d5d52ede460c5674ce857911b98747f3647316ef780362090925c3874a4

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
43KB

MD5
abae2408cb307e2e4822ad1c422b552a

SHA1
f969807ddb30d41220bd159932efb2ce1e079ede

SHA256
eebda42acda0d87d0fe25b5efe8314a30d9576a632e8bd29afc0a7531ac60e69

SHA512
130834f6d9a1e08e3c8e1416eca8fd119919387f8a4ecc7935c16cef9ca276d62c79f24c13ffba537573cdd9c7a47dfab217e68f7b18048458291bc638be20de

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
43KB

MD5
aa5af341c6c4ca9a4d9ac375abab8e60

SHA1
ff53166edfd4ee9844fa30606231f73dfd33d5a6

SHA256
10a3deecc3deb99357fb6ebfdb5f02fb5aba810af1b0a827aa2162e74f8dd172

SHA512
70a1eb0d386c7fe7da22ba32badd24164e038b6875e3a774765a51f6816a545139ffa805f94859329846b427e68f1050f94fcc0460802fee9d40250ca28636a7

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
43KB

MD5
f2d9613ee1df48a2c775735d81aed127

SHA1
df977c5ade36280e8ce9aeefefa76297e6fd1248

SHA256
200a1b6721d6fa3d5fb8ad6447d1f91a97c5132e151a92ff81c1f56b37c2d36d

SHA512
1df214c7e5bf94e0077789f963d34a497c4ac47221a978bfa11243075a4e827da9e7901b573eda9e069847396a85b30a609c4a2fbfde5ba15bcdd4263b7d7e78

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
1KB

MD5
80ecb8c522a00284b4d519e9650e1ebc

SHA1
cbbc601f614ccade11c749a263982ed8731a8563

SHA256
8b1a514d9189ab2fbeb335303adb3ff3b496768e782393512134b7cf9c25e580

SHA512
1ab1e3ec2edbcfd0e12adf8a393af58015690e38fcd9102d743cb160a3334ac8882e095f510c60ab110d94d9f5d633d9889647a93f0d3d52233789109c8129dc

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
305B

MD5
2b0819853f8b0ccd2027599bced82087

SHA1
31cf7bb1244fcfc52949f4cb99fc5f79c6b703a8

SHA256
e77bf73f9a798d13b3e7b688b9063805d81eb11dbad6c86c2f243d9f4b75dd77

SHA512
1eb7ff1b0ef359919c4d342954799588b20110a55b08d3e322c4c8519f721c4b23e10e0f9f93231dda72b15fd2c6c5f5ebeb796c9ab866cdf8199cdd20258deb

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
585B

MD5
a577c389f4ed0929e5a78c18f3649ca6

SHA1
8bc8007ba420373c6c0a3bc8857ac9e6d629bbdc

SHA256
bcc21c6cd9d23316529146dbdc7d92fb464cf05062f6b5ba40c6547a2f221600

SHA512
3585a8a74bc66a62b20cf9b616b29f5bdb31097a2cb7019562e63ea8e6fbe42d4a9f20cde2f7e71df403a005be06d946e2a74e62b86bdc4f2b538fe686bdffdb

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log

Filesize
811B

MD5
0ed24f0820bb0419ba3b79ddaf4d6667

SHA1
acad7c12fcd38bcb2cbd415ac9f567ceee028ab1

SHA256
e56a57ef6661d50a37aebeac385d6f3d874847cdac0f8ceb96bcdc0db0988b84

SHA512
879c6e2c8b8f0ff97611dc0b02c39ec832d37a29630c26d8e6b91411a0fac44bcf80d648ee011256e0e826f13997bdff4672fab0065644620c5106006f726084

Download Submit
C:\Windows\System32\LogFiles\setupcln\diagerr.xml

Filesize
11KB

MD5
cfa556b947b67b3b0041cfa8bfb1ccc8

SHA1
8e33a71c82bda61c7cf797ccb53e2218c606abe7

SHA256
a4da3d27503f40e0357d121073b432647319fe6c1f2d600569cece1e4562a69f

SHA512
fa2c1760b13ca096cba7efe10130f4180aabdbd56dc508804ccd48a054ab6a1f161dd9cc1bcc6efca04a390097e33d587d9706b6ab678c38fd323c22f8913e69

Download Submit
C:\Windows\System32\LogFiles\setupcln\diagwrn.xml

Filesize
9KB

MD5
692ca5ebc9e0cef0a8d0be4df7400cee

SHA1
f63dada2e5f7a1d786c93bc3d757642d93b24b59

SHA256
a378a154cfbf27b8471462c657f28a11fee70fd33593ac09ee216c642b26b3aa

SHA512
429b2eba8b421f3bae504ebe94da0ea9e662e5256d16301f46a4590f915b381cbc67b86c2beba391600b5f512412f1dcd9bdefc363b4c63dc7136022fa0f45bb

Download Submit
C:\Windows\System32\LogFiles\setupcln\setupact.log

Filesize
10KB

MD5
e59d10d442ba622da2c22860fb7b27a4

SHA1
462962660c14d233f9241ee573f32414d7bd6c47

SHA256
d08a79a264aa3fb6ba33befc5647d162f9e8b4b5a0c6c2da8bbb7f1bd729b594

SHA512
5177c72ebd5a4e30ff83bb399ba5cc94d745e084122c293a9a64ce59e98b67ed230a593cb59fa294a2d0ff090a281ff4f6d70d32aaeab0fca4234e952e7f76b3

Download Submit
C:\Windows\System32\LogFiles\setupcln\setuperr.log

Filesize
2KB

MD5
4f4632b1c551fe33a1cc04f4844d0a6d

SHA1
59f814272a257fb0abf9f1dc6bda39a266f74a95

SHA256
73b02621dc71022bc5b6c638ae7b461fa7c767a490ca167f17bfda18afeac4d2

SHA512
5daa58d9b731570d8e1a3d86e377657957837e18535ca9990a8ca05a0b30ac86b827c6a86296bfdd3fcfe2f3f2fd1a0c552917d751a8f40219d5d643375ba3b5

Download Submit
C:\Windows\System32\LogFiles\setupcln\setuperr.log

Filesize
1009B

MD5
1abcafe61a0b9a6f1d1bcd0781624fee

SHA1
676edc279f2235fdd0eb80433a3a9ab7d6fc2a1a

SHA256
e44da372bb66b190ce90cc5e73c81509fa1c02afd043e785a4123f0a035e24ff

SHA512
d266897c4a9f68830997f9aae4d504a314009f2f36c49dbed70e5237332529137f4ff12f70333c5811f46c0effc7fbc8f3f7ce261bef1a4b4d2f5e12e5d09f0c

Download Submit
C:\Windows\System32\LogFiles\setupcln\setuperr.log

Filesize
1KB

MD5
a9dcc26ea6507427cf37ff47935c8284

SHA1
02f5fa860c53d99be69cd75d615f5a15ce4c7e86

SHA256
67eed66e728338bcea79c01435ec003e4e7aaa5c32c92ec6d8af9d696019c335

SHA512
9451fe749ed916fef88981c451cbacea8e86b47ab0c7c11f5b3a4ee8cbf068fe7ed121357cc362bc65f800d9e706ab26a1b5856a23d496e7d08c801da265f3ba

Download Submit
C:\Windows\system32\LogFiles\setupcln\diagerr.xml

Filesize
34KB

MD5
00c08c21283a704ea0033b63a29a3d0c

SHA1
ac59048ea0e6c932b51dcb7395e35274bef04fe2

SHA256
a14f4e7993201c053abc526a36e113d650c4c9b6e9fc0387ffba4893ce5dfe38

SHA512
fdbe1710839bb3e9fec9172d7399ef414c1f6d02f7ae91ad95e1f01d377e0271bdecbfe0f1e0b2b889b7d276814b3127497857e6a9852ff9ec041b0fb326c830

Download Submit
C:\Windows\system32\LogFiles\setupcln\diagerr.xml

Filesize
13KB

MD5
1a72b058e0c419d63bd66e29d3c9f8fd

SHA1
1067b6f56961c8743436d02787b273c3cb7440cb

SHA256
3ca323d0fdee687438cba928d58e0d476794ecb630104574d5784f4f185d4865

SHA512
8aaf7150cd22b0a571840a949eb2248e4a042f42f6cbf1be265243b6c89af9f41eaaa056096cb2b89d27148da377f1cd933c104da609b3cf8addce66c07efa21

Download Submit
C:\Windows\system32\LogFiles\setupcln\diagwrn.xml

Filesize
27KB

MD5
9b2c4a2b498f91d769ad53fab4794d1a

SHA1
53b0dfa34b5bc87c52caa7ff5292ddc0b7d6e3e4

SHA256
a2195074417410cb808f95842f43531fc1b9b770b874fa10310840c8dd783fca

SHA512
3a75868e058fd2c8336fffbdb1f097853e64101ed91ca17530f8f200ce1cd7b9b0bc56c6996bb40c015e1785c2e6490c27a1c410db500543bc5a068b5c128da3

Download Submit
C:\Windows\system32\LogFiles\setupcln\diagwrn.xml

Filesize
18KB

MD5
f955acda319098480a9387d86e179232

SHA1
e378bbc5ea3b4e5b51878667c111e69bf5680a79

SHA256
08b7eca58eab6179d057f1cf1f2ed3620cada3945e59abb414d8b22de018ff83

SHA512
15ad19318f4acfab3f069b7b0300f81a898503ad27417076bb52180ce4275be0be1a2e62f0c47e40168d735c19bf9d2119a9782a33dad1ba9604e056ee99a41d

Download Submit
C:\Windows\system32\LogFiles\setupcln\setupact.log

Filesize
32KB

MD5
b07fc1731478f65234e0804d89bd186c

SHA1
1c4046f178ee2300f7b941ca891d7feade337d26

SHA256
cbf98bf4aefee44f0e4290bad047fa2e36c1c24ead8e65530610a5b98642660e

SHA512
06564add8ef8670d3650480a2b80ff1082d0eef0d602a2ad90098fd3572b79f0cc74f2ceadc01c7e75ff068ceaa5cd7bc61295564fe20ed0dd831ed65eb61ff0

Download Submit
C:\Windows\system32\LogFiles\setupcln\setupact.log

Filesize
21KB

MD5
86b507b6cfb0ba7c8b2660837391ad00

SHA1
a0d30331fec17986c1b26d06bbb683d64dd79850

SHA256
73aadde3a0e554cbde074c84cca842e258b0d592de808bac95a03420af52b363

SHA512
b69e1102278e5eeba1f65a80e7dbba22d59d31f17132db9846bf3e97ca3b6963ab97181bde664ef54e73f1fba9184c589c44f1f91d06126e080ecd22fe73b1c5

Download Submit
memory/1704-373-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/1704-363-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/1704-349-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/1704-347-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/1704-346-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/5272-354-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/5272-355-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/5272-325-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/5272-324-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/5272-323-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/5272-351-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/6728-181-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/6728-180-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/6728-176-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/6728-185-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/6728-184-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/6728-175-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/6728-186-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/6728-182-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/6728-183-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/6728-174-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/6980-118-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/8236-319-0x0000000035860000-0x0000000035870000-memory.dmp

Filesize
64KB

Download
memory/8500-1879-0x000002560BDB0000-0x000002560BDD2000-memory.dmp

Filesize
136KB

Download
memory/8996-360-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/8996-327-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/8996-328-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/8996-326-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/8996-369-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/8996-368-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/9196-356-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/9196-1155-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/9196-397-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/9196-359-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/9196-357-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads