Analysis
-
max time kernel
328s -
max time network
325s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-06-2024 11:24
Behavioral task
behavioral1
Sample
New folder.zip
Resource
win11-20240611-en
General
-
Target
New folder.zip
-
Size
13.3MB
-
MD5
1694ee8a09ebbe56390c44bae9307406
-
SHA1
0f1886e199b60d9abd87e786e49f8a0557031052
-
SHA256
7aa6c2e38366d1b553ce56e67f35cfa687e4ba0f7c3eaa404f5ba2449af9fbe5
-
SHA512
8417fa25bd4769e747e539804c92223ae88c1879a8c9f3aad5e3a2f990db47d1cf319f3777cffc259fe6bff0312664f8621434419fc427d67aafdc56aa834c18
-
SSDEEP
393216:0PfDzPD8hpXYoKMFJ4PT61E0WTTPuRr0r1+:0Pf/PY7MPTd0WTatw1+
Malware Config
Signatures
-
Drops file in Drivers directory 4 IoCs
Processes:
hamachi-2.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\SET9205.tmp hamachi-2.exe File created C:\Windows\system32\DRIVERS\SET9205.tmp hamachi-2.exe File opened for modification C:\Windows\system32\DRIVERS\Hamdrv.sys hamachi-2.exe File opened for modification C:\Windows\System32\drivers\Hamdrv.sys DrvInst.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 16 IoCs
Processes:
hamachi-2.exeLMIGuardianSvc.exehamachi-2.exeLMIGuardianSvc.exeLMIGuardianSvc.exehamachi-2.exeLMIGuardianSvc.exeLMIGuardianSvc.exehamachi-2.exeLMIGuardianSvc.exehamachi-2-ui.exeLMIGuardianSvc.exehamachi-2-ui.exeLMIGuardianSvc.exehamachi-2-ui.exeLMIGuardianSvc.exepid process 5748 hamachi-2.exe 5844 LMIGuardianSvc.exe 5900 hamachi-2.exe 6100 LMIGuardianSvc.exe 1016 LMIGuardianSvc.exe 5980 hamachi-2.exe 4868 LMIGuardianSvc.exe 6100 LMIGuardianSvc.exe 6024 hamachi-2.exe 5936 LMIGuardianSvc.exe 5812 hamachi-2-ui.exe 5172 LMIGuardianSvc.exe 3956 hamachi-2-ui.exe 2100 LMIGuardianSvc.exe 1308 hamachi-2-ui.exe 5156 LMIGuardianSvc.exe -
Loads dropped DLL 28 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exepid process 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 5756 MsiExec.exe 5756 MsiExec.exe 5756 MsiExec.exe 5756 MsiExec.exe 5756 MsiExec.exe 5756 MsiExec.exe 5164 MsiExec.exe 5164 MsiExec.exe 5164 MsiExec.exe 5844 LMIGuardianSvc.exe 6100 LMIGuardianSvc.exe 5164 MsiExec.exe 1016 LMIGuardianSvc.exe 5164 MsiExec.exe 4868 LMIGuardianSvc.exe 6100 LMIGuardianSvc.exe 5164 MsiExec.exe 5164 MsiExec.exe 5936 LMIGuardianSvc.exe 4944 MsiExec.exe 5172 LMIGuardianSvc.exe 2100 LMIGuardianSvc.exe 5156 LMIGuardianSvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogMeIn Hamachi Ui = "\"C:\\Program Files (x86)\\LogMeIn Hamachi\\hamachi-2-ui.exe\" --auto-start" msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in System32 directory 16 IoCs
Processes:
DrvInst.exehamachi-2.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\Hamdrv.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\hamdrv.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{473a5891-5c29-bb48-b9e6-d41e67c1a7ad}\SET92C0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{473a5891-5c29-bb48-b9e6-d41e67c1a7ad}\Hamdrv.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{473a5891-5c29-bb48-b9e6-d41e67c1a7ad}\SET92C1.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{473a5891-5c29-bb48-b9e6-d41e67c1a7ad}\SET92C2.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{473a5891-5c29-bb48-b9e6-d41e67c1a7ad}\hamdrv.inf DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\hamdrv.PNF hamachi-2.exe File created C:\Windows\System32\DriverStore\Temp\{473a5891-5c29-bb48-b9e6-d41e67c1a7ad}\SET92C0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{473a5891-5c29-bb48-b9e6-d41e67c1a7ad}\hamdrv.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{473a5891-5c29-bb48-b9e6-d41e67c1a7ad}\SET92C2.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\hamdrv.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{473a5891-5c29-bb48-b9e6-d41e67c1a7ad}\SET92C1.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{473a5891-5c29-bb48-b9e6-d41e67c1a7ad} DrvInst.exe -
Drops file in Program Files directory 16 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianEvt.Dll msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianDll.dll msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi.sys msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianEvt.Dll msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi.inf msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamdrv.inf msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamdrv.cat msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\ReleaseNotes.rtf msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\hamachi.lng msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi.cat msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamdrv.sys msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianDll.dll msiexec.exe -
Drops file in Windows directory 55 IoCs
Processes:
hamachi-2.exesvchost.exeDrvInst.exemsiexec.exehamachi-2.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id hamachi-2.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg hamachi-2.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.updating hamachi-2.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.bak hamachi-2.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.updating hamachi-2.exe File created C:\Windows\SystemTemp\~DFED660F59BAAFFD47.TMP msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log hamachi-2.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.updating hamachi-2.exe File opened for modification C:\Windows\Installer\{C00E2143-38F2-49BA-AB8A-03F22F02F0A4}\UninstallIcon.ico msiexec.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.bak hamachi-2.exe File opened for modification C:\Windows\Installer\MSI8AD1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8B20.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8B71.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB8F1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC269.tmp msiexec.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini hamachi-2.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{C00E2143-38F2-49BA-AB8A-03F22F02F0A4} msiexec.exe File opened for modification C:\Windows\Installer\MSIB892.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\SystemTemp\~DF9B48D612DC7774D5.TMP msiexec.exe File created C:\Windows\Installer\e598a16.msi msiexec.exe File created C:\Windows\SystemTemp\~DF0DDF437AEB4ACDFC.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI8C6C.tmp msiexec.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log hamachi-2.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id.bak hamachi-2.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id.updating hamachi-2.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-server.key hamachi-2.exe File opened for modification C:\Windows\Installer\MSI8B41.tmp msiexec.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.bak hamachi-2.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id.updating hamachi-2.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg hamachi-2.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.updating hamachi-2.exe File opened for modification C:\Windows\Installer\e598a16.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8DB7.tmp msiexec.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id hamachi-2.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\e598a18.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8F7D.tmp msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIC249.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFA86E2AED6ED45F6F.TMP msiexec.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini hamachi-2.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.bak hamachi-2.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\{C00E2143-38F2-49BA-AB8A-03F22F02F0A4}\UninstallIcon.ico msiexec.exe File opened for modification C:\Windows\Installer\MSI8F9D.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log hamachi-2.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id.bak hamachi-2.exe File opened for modification C:\Windows\Installer\MSI8B51.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8C7D.tmp msiexec.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-client.key hamachi-2.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 5728 sc.exe 5720 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 45 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5840 3956 WerFault.exe hamachi-2-ui.exe -
Checks SCSI registry key(s) 3 TTPs 51 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
hamachi-2.exesvchost.exeDrvInst.exevssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007faf6a05fbc582680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007faf6a050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007faf6a05000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7faf6a05000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007faf6a0500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Processes:
MsiExec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\hamachi-2-ui.exe = "11000" MsiExec.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
msiexec.exehamachi-2.exeDrvInst.exehamachi-2.exesvchost.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RAS AutoDial\Default svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" hamachi-2.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs hamachi-2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" hamachi-2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exeLMIGuardianSvc.exefirefox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageZH = "\x06Ui" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\VersionIndependentProgID LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageEN = "Ui" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29} LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\ProgID LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\Complete msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\New folder\\New folder\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{67E4A0D8-8675-4FBB-BC62-F10EC894327E}\LaunchPermission = 010014807400000084000000140000003000000002001c000100000011001400010000000101000000000010001000000200440003000000000014000b000000010100000000000504000000000014000b00000001010000000000050b000000000014000b0000000101000000000005120000000102000000000005200000002002000001020000000000052000000020020000 LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageNO = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguagePT = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageFI = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\ProductName = "Hamachi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc\CLSID LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageDA = "\x06Ui" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\TypeLib LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMIGuardianSvc.EXE LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{67E4A0D8-8675-4FBB-BC62-F10EC894327E}\LocalService = "LMIGuardianSvc" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageHU = "\x06Ui" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\ = "GuardianSvc Class" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\TypeLib\ = "{FAC58A4E-76CC-418B-8829-6DE882474472}" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc.1 LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc.1\CLSID LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc\CLSID\ = "{D4258A22-CF85-489D-83AE-49FCD0DFAD29}" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\Programmable LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\TypeLib\Version = "1.0" LMIGuardianSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ProxyStubClsid32 LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageJA = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageZHTW = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\TypeLib\ = "{FAC58A4E-76CC-418B-8829-6DE882474472}" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\ = "LMIGuardianSvc 1.0 Type Library" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ = "IGuardianSvc" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ = "IGuardianSvc" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\VersionIndependentProgID\ = "LMIGuardianSvc.GuardianSvc" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\AppID = "{67E4A0D8-8675-4FBB-BC62-F10EC894327E}" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\FLAGS LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageNL = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc\ = "GuardianSvc Class" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageTR = "\x06Ui" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E80E241A66716B4F9A16046F5141A90 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc\CurVer\ = "LMIGuardianSvc.GuardianSvc.1" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\FLAGS\ = "0" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{67E4A0D8-8675-4FBB-BC62-F10EC894327E} LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguagePTBR = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageRU = "\x06Ui" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791} LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\TypeLib\Version = "1.0" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0 LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageFR = "\x06Ui" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\SourceList msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791} LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\Engine = "Complete" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageAR = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageDE = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageES = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\LogMeIn Hamachi\\x64" LMIGuardianSvc.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\New folder.zip:Zone.Identifier firefox.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1908 firefox.exe Token: SeDebugPrivilege 1908 firefox.exe Token: SeDebugPrivilege 1908 firefox.exe Token: SeShutdownPrivilege 2248 msiexec.exe Token: SeIncreaseQuotaPrivilege 2248 msiexec.exe Token: SeSecurityPrivilege 1556 msiexec.exe Token: SeCreateTokenPrivilege 2248 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2248 msiexec.exe Token: SeLockMemoryPrivilege 2248 msiexec.exe Token: SeIncreaseQuotaPrivilege 2248 msiexec.exe Token: SeMachineAccountPrivilege 2248 msiexec.exe Token: SeTcbPrivilege 2248 msiexec.exe Token: SeSecurityPrivilege 2248 msiexec.exe Token: SeTakeOwnershipPrivilege 2248 msiexec.exe Token: SeLoadDriverPrivilege 2248 msiexec.exe Token: SeSystemProfilePrivilege 2248 msiexec.exe Token: SeSystemtimePrivilege 2248 msiexec.exe Token: SeProfSingleProcessPrivilege 2248 msiexec.exe Token: SeIncBasePriorityPrivilege 2248 msiexec.exe Token: SeCreatePagefilePrivilege 2248 msiexec.exe Token: SeCreatePermanentPrivilege 2248 msiexec.exe Token: SeBackupPrivilege 2248 msiexec.exe Token: SeRestorePrivilege 2248 msiexec.exe Token: SeShutdownPrivilege 2248 msiexec.exe Token: SeDebugPrivilege 2248 msiexec.exe Token: SeAuditPrivilege 2248 msiexec.exe Token: SeSystemEnvironmentPrivilege 2248 msiexec.exe Token: SeChangeNotifyPrivilege 2248 msiexec.exe Token: SeRemoteShutdownPrivilege 2248 msiexec.exe Token: SeUndockPrivilege 2248 msiexec.exe Token: SeSyncAgentPrivilege 2248 msiexec.exe Token: SeEnableDelegationPrivilege 2248 msiexec.exe Token: SeManageVolumePrivilege 2248 msiexec.exe Token: SeImpersonatePrivilege 2248 msiexec.exe Token: SeCreateGlobalPrivilege 2248 msiexec.exe Token: SeCreateTokenPrivilege 2248 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2248 msiexec.exe Token: SeLockMemoryPrivilege 2248 msiexec.exe Token: SeIncreaseQuotaPrivilege 2248 msiexec.exe Token: SeMachineAccountPrivilege 2248 msiexec.exe Token: SeTcbPrivilege 2248 msiexec.exe Token: SeSecurityPrivilege 2248 msiexec.exe Token: SeTakeOwnershipPrivilege 2248 msiexec.exe Token: SeLoadDriverPrivilege 2248 msiexec.exe Token: SeSystemProfilePrivilege 2248 msiexec.exe Token: SeSystemtimePrivilege 2248 msiexec.exe Token: SeProfSingleProcessPrivilege 2248 msiexec.exe Token: SeIncBasePriorityPrivilege 2248 msiexec.exe Token: SeCreatePagefilePrivilege 2248 msiexec.exe Token: SeCreatePermanentPrivilege 2248 msiexec.exe Token: SeBackupPrivilege 2248 msiexec.exe Token: SeRestorePrivilege 2248 msiexec.exe Token: SeShutdownPrivilege 2248 msiexec.exe Token: SeDebugPrivilege 2248 msiexec.exe Token: SeAuditPrivilege 2248 msiexec.exe Token: SeSystemEnvironmentPrivilege 2248 msiexec.exe Token: SeChangeNotifyPrivilege 2248 msiexec.exe Token: SeRemoteShutdownPrivilege 2248 msiexec.exe Token: SeUndockPrivilege 2248 msiexec.exe Token: SeSyncAgentPrivilege 2248 msiexec.exe Token: SeEnableDelegationPrivilege 2248 msiexec.exe Token: SeManageVolumePrivilege 2248 msiexec.exe Token: SeImpersonatePrivilege 2248 msiexec.exe Token: SeCreateGlobalPrivilege 2248 msiexec.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
firefox.exemsiexec.exehamachi-2-ui.exehamachi-2-ui.exehamachi-2-ui.exepid process 1908 firefox.exe 1908 firefox.exe 1908 firefox.exe 1908 firefox.exe 2248 msiexec.exe 2248 msiexec.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 1308 hamachi-2-ui.exe 1308 hamachi-2-ui.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
firefox.exehamachi-2-ui.exehamachi-2-ui.exehamachi-2-ui.exepid process 1908 firefox.exe 1908 firefox.exe 1908 firefox.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 1308 hamachi-2-ui.exe 1308 hamachi-2-ui.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
firefox.exehamachi-2-ui.exehamachi-2-ui.exehamachi-2-ui.exepid process 1908 firefox.exe 1908 firefox.exe 1908 firefox.exe 1908 firefox.exe 1908 firefox.exe 1908 firefox.exe 1908 firefox.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 5812 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 3956 hamachi-2-ui.exe 1308 hamachi-2-ui.exe 1308 hamachi-2-ui.exe 1308 hamachi-2-ui.exe 1308 hamachi-2-ui.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 5100 wrote to memory of 1908 5100 firefox.exe firefox.exe PID 5100 wrote to memory of 1908 5100 firefox.exe firefox.exe PID 5100 wrote to memory of 1908 5100 firefox.exe firefox.exe PID 5100 wrote to memory of 1908 5100 firefox.exe firefox.exe PID 5100 wrote to memory of 1908 5100 firefox.exe firefox.exe PID 5100 wrote to memory of 1908 5100 firefox.exe firefox.exe PID 5100 wrote to memory of 1908 5100 firefox.exe firefox.exe PID 5100 wrote to memory of 1908 5100 firefox.exe firefox.exe PID 5100 wrote to memory of 1908 5100 firefox.exe firefox.exe PID 5100 wrote to memory of 1908 5100 firefox.exe firefox.exe PID 5100 wrote to memory of 1908 5100 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4272 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4724 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4724 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4724 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4724 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4724 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4724 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4724 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4724 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4724 1908 firefox.exe firefox.exe PID 1908 wrote to memory of 4724 1908 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New folder.zip"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1908.0.1037582515\90514180" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1716 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf021413-83b2-4428-9662-65301bf12198} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" 1832 1e20e909858 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1908.1.533239886\317904640" -parentBuildID 20230214051806 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3641486e-473a-408c-b126-cbbf9c47a8fe} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" 2356 1e201c88758 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1908.2.184901397\476523844" -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 2952 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a54cbc09-7358-4aa0-8153-836ed1f5c2cb} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" 2972 1e2111f9f58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1908.3.1984113890\1437601141" -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35fb12f9-afe8-42e4-b981-c64dd39db37e} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" 3564 1e214307158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1908.4.1443336614\1883470980" -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5388 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {498c5d2f-d49a-4282-abee-17318e9a5c52} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" 5400 1e2155a1a58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1908.5.1609086075\2019633307" -childID 4 -isForBrowser -prefsHandle 5468 -prefMapHandle 5476 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d067edb-1922-4764-afb7-abb5b1770798} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" 5460 1e216d9bb58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1908.6.562195675\37320335" -childID 5 -isForBrowser -prefsHandle 5176 -prefMapHandle 5200 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76375eed-be1e-49a6-b643-22425623b715} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" 5648 1e216d9ac58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1908.7.974203143\1024724364" -childID 6 -isForBrowser -prefsHandle 6016 -prefMapHandle 6012 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2b8c622-531d-4f3f-83f5-6969f5f66adc} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" 3732 1e20dc95a58 tab3⤵
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\New folder\New folder\hamachi.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C677ADB9D6A2DBB9D23286477021A20C C2⤵
- Loads dropped DLL
-
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe"C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --ipc-timeout 303⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe" /escort 5812 /CUSTOM Hamachi4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DA4F7752432774982B456C43B162A6AD2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F03166134CFC1A903A80DF39D6978B7C E Global\MSI00002⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" --add-tap-at-install Hamachi3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 5748 /CUSTOM Hamachi4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\netsh.exenetsh interface ipv4 set subinterface "Ethernet 2" mtu=1404 store=persistent4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh.exe interface set interface name="Ethernet 2" newname="Hamachi"4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh interface tcp set global autotuninglevel=normal4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh interface tcp set global rss=enabled4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" --config Hamachi 25.0.0.13⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 5900 /CUSTOM Hamachi4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\sc.exesc config Hamachi2Svc depend= winmgmt3⤵
- Launches sc.exe
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" -Service3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\sc.exesc config Hamachi2Svc depend= winmgmt3⤵
- Launches sc.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "c:\program files (x86)\logmein hamachi\x64\hamdrv.inf" "9" "42b53aaff" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\logmein hamachi\x64"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:db04a16c4ff220c2:Hamachi.ndi:15.28.40.464:hamachi," "42b53aaff" "0000000000000148" "9d6e"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" -s --get-config1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 5980 /CUSTOM Hamachi2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" -s1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 6024 /CUSTOM Hamachi2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv4 set subinterface "Hamachi" mtu=1404 store=persistent2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 add address interface="10" address=2620:9b::1920:5650 type=unicast store=persistent2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 delete route ::/0 "10"2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 add route interface="10" prefix=2620:9b::/96 store=persistent2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 add route ::/0 "10" 2620:9b::1900:1 metric=9000 publish=yes2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv4 set subinterface "Hamachi" mtu=1404 store=persistent2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 delete route ::/0 "10"2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 add route ::/0 "10" 2620:9b::1900:1 metric=9000 publish=yes2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 delete route interface="10" prefix=2620:9b::/642⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 delete route ::/0 "10"2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 add route ::/0 "10" 2620:9b::1900:1 metric=9000 publish=yes2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\8553b9ec6599446b8aceff65bc39ed01 /t 4900 /p 58121⤵
-
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe"C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe" /escort 3956 /CUSTOM Hamachi2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 14202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3956 -ip 39561⤵
-
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe"C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe" /escort 1308 /CUSTOM Hamachi2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
2Netsh Helper DLL
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Event Triggered Execution
2Netsh Helper DLL
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e598a17.rbsFilesize
23KB
MD547e1f6545a0fe7e49f00d56c922e39bb
SHA1be494542e927c579e9f43f568136b5bfd5623133
SHA256f93ce385b9a14b8ba62573bc198ede8daeb2e5731a7c2e7ec4b60ff09ea19524
SHA512c189f98ebceba2466e85a2ede3c913f34ede3be627b9c4ef16c0f45646687d1ca360d3910d0cc5d2d013d6f698bf0aac4cc17b06d419f484b7f43ceb4ed20063
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianDll.dllFilesize
2.0MB
MD5df7051274b6080da5298c61decad2fdf
SHA133168489e0704cba116af5417f66f99e5c184abe
SHA256bfec06ad20dddb565fea958c273dea14cd510f24be57e8f56d35168632a81875
SHA512506ca6cef3bd7fd8f56e934c97d4e791e330fff492d89575ce40f0123fbffaf3010f9637af3fed997bc0d642b3027d767bd93efe6c37a06b40ba0dc354a994b6
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exeFilesize
409KB
MD50554f3b69d39d175dd110d765c11347a
SHA1131bc6ca3960476e16fbaad091d26e92f2093437
SHA256a57d5ce0cba04806eb0c6d8943d85c5ab63119a99fa8f8000bdf54cccd1c1bf9
SHA5120ebbcec7337387cb7b59a86f80269925f369112d3a9cd817fc9de5d7c978a52665ad3bd6967a8f2b36765974f808e51d8dd59fd1e80149fd5a5de4d987833f06
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exeFilesize
4.7MB
MD5493510f5eb2c49efea54e58a83677e13
SHA114ec94b796cd426c001840421c4ce43750cefd2a
SHA256199febb05fff1cca01f7f7672be99d9d0ee73b0371bd63513635dde133f3e2cc
SHA51285b92ca63797ae5303557dc1d6771acb4bc09ddd2f3391614a3f40b2a3604b6c63566b44beb8c65da3436edad44c90b401f8b220f5fb921f287970e50438fe87
-
C:\ProgramData\LogMeIn\Dumps\WriteAccessTest.txtFilesize
39B
MD5491044e729f12a53ddbd9edae68c1571
SHA126cca1ae393f3b9dacf2c3b59049ed40f9b1c78b
SHA25689e672ba84c73b8b47c47c5cf8a77a32600a1ae915481a7bea5004dac1383487
SHA512b4f50366b9c08fe695c6a3c55e4f43d821153e45d92973680e43d2e260b379d3e7b7005a23bbc37c55be39670270b44befa107bbc348ee77d9bc871ca68a607a
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui-peers.iniFilesize
4B
MD5f1d3ff8443297732862df21dc4e57262
SHA19069ca78e7450a285173431b3e52c5c25299e473
SHA256df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
SHA512ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.iniFilesize
266B
MD58307bf43ed77b1d8d7d49a3b3d62c666
SHA1838df13b3155a9b7908b38f1162216235160a8a3
SHA256857bdacafd8ac98ee73bb1cd018ea24a4977ca1f117c9eb2164782679d26f2da
SHA512a21a86a82b9f02fc4d27327a9b8149127604ba693024e7ad6144f5cc7beeaf6ec543ba97c13434d5592cd3d8a67f7975150d4d610851ae1088ca86a9d7ddd653
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.iniFilesize
265B
MD57027afcf421210f61b9bb7b9febd52a2
SHA187c1a598fe956476d19476a7e1a9acbae53bf2de
SHA25674bee499927a277e7adcfa14f0a4736fa3109c525f1f793ddda2e2d28198ddc4
SHA512cfc09b273ab45a79a523090cb0cf02a34cbd2ef72f82e7cc141ee79d5e644c174bd458adf130e519e6e6cc5b4f6f0c543f37837002a3d184d7a7e835c7e0d0df
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
178B
MD5f76fa5e7e75c30e60b95f62ddba519e4
SHA1972208abe19ebf384d06ecca2ee840f88ff9c7c4
SHA256992c4bd80fb8c1c33ab3cc8d83fca8295df7e34c4fa3db3705e29679f0612cef
SHA5126f0b3653c15037395c0536ba193abf8c34d788068e52e324257fa0750bde7ac70b84b64b00cdf091ce4c59ec65a02ae88c620eaa9f48c264dc6e3ebc51f737c9
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
343B
MD58f42527824a45cba2deaf3d959b8e022
SHA1eea55f4335b868df0685cb5a1f5df9e3bf4c0232
SHA256fc650db26ab09de815c5d320023d1da5c37433aab2bd28d062ff6e19a6b98e5b
SHA512604f3bd713a0de8cc2eecc0cc754148fc8abd23767443775ad926ebeb454e263990834e272cdd23aa159d4ea48f4c6c29b10b0852ec092d3d64b760bda108a26
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
723B
MD58557244c9241580aaefa7da5edcd695a
SHA1a1fe0d70b9651994ed4cf913689b9444406f5ef1
SHA2561420e804f48e29cac06dae45b039cec4f1dc696e6e1ea80709a1c2710d565c15
SHA5128941151d8175e5dfda16ee5c00f5b99d685830cbd2353cd7b30ac909f42321bd94023af6cb0ab9b68047b1bd32932363e8347d8dc47b2ec0e237b50114658a86
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
881B
MD50d83ea1d50a107df6cdf8468b54db83b
SHA1ad23bf048c8a7ccdc8a3b5c15ed246b90531fe9c
SHA2569ed00d2d969e565e079cd09b8751f47f8ee9357612f5ac5f07f093d8486e4636
SHA5129a132dfbae6d9a3bde999843159d0935bc9843dde71d5c9429e8672d6b7cad11ddab5c5f2689be790fda9dc3a5922ca1782c0f03c4f83fdcbaafd2d3013b0be7
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
1KB
MD541a9335aa241392972833e20847fe93f
SHA174e539733ee641d1f549206e1bf84ff8287a4cb8
SHA256d2f67f1eb7ff2f778dde5bab0463c0994bec5c6764f14e54266b1724190c710f
SHA512617c33f59bd99da22e4c63c275fc5f634dba767ea8786d1d9e81fdf65d6a2743832580d2b425d81ea82722dcfe889ed2b384666c6824644d3fb2a37a7923dbab
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
1KB
MD54610a29fb934aa4f5d3bcbe4961d64b9
SHA12c007c007f1f2b5ef30d3ccef794aecfaf275d14
SHA2560ef6868bcb7360f91e26695e1b988af4e026871d458f3ea9151a9919d3a5f174
SHA5126dcbc907bebdba6911179e71710dfb825d09e6f4cd79b3f01359a5537d877866cd26b6c3b4b2ae6f9c25ba7a4cc3e80c405351a4fab4f926502c3a854edf342a
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
2KB
MD5dbbe976fb0b2f2aea460e03931bee659
SHA1b3f2a2ed243ddbe2dd329747f341be2e049cf061
SHA25603e3e150bae15f31f4a8841bd47a92e84ed1382f8baeef72ab99101c17a5c1eb
SHA5129a514ef6d068488c107e3cca89f8db9f54b1e165bc54ed5b3e6c4cee93dbb61cdcc3fc58826c0304950e339a02d8b40a7df8d5cad5f8cb148995ce542533077d
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
3KB
MD5ffbf7c4a72585c25b9e2a2079f5ec0a2
SHA142fe45a79c791b223f97d1502f93834424bdadcb
SHA256b5cd7ed4c5dacfaa6994736cadc947295a1775a745470a9ea5e71cbbc744ad3d
SHA512627d745de5de72bc3f458285c842d6f840bf01e6de7ff748675c8cde8fb03aa0516d4e4d149c1c9a6c269600804040f4fd1aeac896d34f67f8d2bbca6aef0dd5
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
3KB
MD555b94975fc991d3cad44e5eeed52102a
SHA1cc04ce76aaad90628b6adac5d145d508c1b5d376
SHA256d315bbf65361784a35a8ad638d7ed63703d67c43275acac59787da94a78e708f
SHA5124281b757f42671a3932a2f1a3f616e1bedeee501d7208a3cf09e6ef30161fd4842a52756558127d80dc83f5ed434449616335776b5f1a0c28ed011d25fa27c5d
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
4KB
MD5e73f1d764dd7d4cf99297b649a9d35ff
SHA1320ff4ea6635bf074990ee29f3fc61e97337b880
SHA256bc89fd2b75066b4bf36d23ef928ea534ef90dae4ff139f1b6c92c4a652dc9230
SHA512046897e0beecc9a316f5d0bc758312993a43dbba3285236e82db194668f386192d399f06bf3e7bfc834b435ab647a2594ba99f2c00cfb110e7733b8affaf8902
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7l3zro2y.default-release\activity-stream.discovery_stream.json.tmpFilesize
32KB
MD57760622d09fd2ca6768c91a9ea36b282
SHA1d3d1d98ac9851ec45284b5219e75d6f98109f072
SHA25664a78aa32946621f30bb0c57e586ef39c06c23bd5f19a8b756466769cac0291f
SHA512005d4a70bf27b7b8800667217a83bba951790cc5260e379a95b4ac006542b3fb687a5ff2a27105369145f262f089f19976d855f9b90b01b04f8f64d2194fb591
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7l3zro2y.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1AFilesize
13KB
MD53e33459808f6bdf2e96178f84126288f
SHA1e1264f67de3a62ca6e2c88ab27eff76788645c9e
SHA256bd10670631bd33f23d7c9320b9c964c5c5302e67c734bbbd1cfc8ac20e0f37e9
SHA5121ac3774532c07ab19489a9152f2afc829d219d44a951436042c9e721e0d5505b12e66e0a9955bc2d7d0e3df1d29530a2d0424d07468ec217a342ac69d7d62bd2
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
584B
MD5fe7aa9915270e41bdd1e34105a86e1c1
SHA186120dfa7b581b0b3003af42ea541a2f36bc303d
SHA2566d187d4a9aad930015738e2d25a7482cb72dc035cf267b85c57bfc22b386fad3
SHA512077bc15e0f0f84033ebc15886732b01aecf3559539f99de2becb036c537d28138b03c06e5719676785bcac40707a5d5e7786f724c2afee780556020a2385952b
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
1KB
MD5a4553532fed89554fad8a1fee81662cf
SHA131a4af659c5361d49168e031d91fe5f45f496c18
SHA2562a24671b590f920e01f45b83d63d0122bbc8ef5b2ac030b5069dcd545dd7d72b
SHA512a0bc0dab1a5e218bdb018425ff755c571e3aea01f51d2657f61c14828dda85eb11528e0859dffe89dd8bbe05010d149bdf8399cff105a249819facb3b65a615a
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
2KB
MD52e08a05673c335b28258ffd91223f9a7
SHA1f5d108d95158a0ed8626ae3c21dd6c73e9fc4195
SHA256e2442ef76816b8b8bb2d3cfc92a8c8baf5d7aa109f160a9c10d5a11ce0cb7a26
SHA512a0575e395c04093d710942cb02310dfac0010a3529e20f8ff3f7a8b0b7810bdc5e4cd6cdacb98f3c100da96d553574ac6113f598c7d9dd96be6e1be9095b5f8a
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
2KB
MD5ac01f7ead10b63007f77cd11acac1bcf
SHA10a894c88d10b5514d7964d428420c6c371e30ead
SHA256f7e406fb8ecfaacc287897d36cca313dbf72aaf4a523ccec6f2fc33437747cc4
SHA5128c4e39606812b4c12f4b001a04c99da3fd736b28270f525cae789d38773476518296a244b03f07fdc592123aa91428a010c6e7e2afd0061246d2323a72e6695a
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
3KB
MD55f6fb51e7426a325cab0036d858f8faa
SHA11a5046fdc48a458ffdd3585f1d6556a893613791
SHA25629f3fc6f91482f2e6e7462bdeb25ad5bd67f41ec5b03a6dbecc3592719775727
SHA51208d95460aae37490cff11346f4faf8d328ac88af731de958440a9454807011fe90a30e1ce3899ad535a8cfb63820db8a07b760b9d138fd294612a919534597b7
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
3KB
MD5bc3d1753d1a987568023146442b28b79
SHA1a0e9eb401418cedfd2c5287c23346e5136315ec0
SHA25692f1690286bd223171121704250ad13ec2998c78caf583fa37f767129e79de0c
SHA51205b57fdcc36ea3dc2136ab7280079f809f5e96477174f39ccbb8324eabcf4c7f34f4d2ff14b83fd32ca0dc19085946519e8231e9ad53d198125bcc8beac61207
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
3KB
MD55b8ac228177bee239ef835324fea3767
SHA1d4d346957c023a39248ec761ad32095015c7c7bc
SHA2567ec54bcfbcebddbe20028e45baab5ca833b263d27b58729d7ad188cf757907af
SHA51276c3b85173dde698a3588b82b4933a6622de408cc5f28b0377dce18e91f85374cae420d80359c4718cdb9e78d3fc3bd5455060c53389c566920dab89b4a8396b
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
3KB
MD5c6ead7ed06b27aa6cedd0444aa250ad3
SHA16e0790a8ebbd9d2a7db09bdbc870089ddae3f7d1
SHA256460f36bd472e252c01b6d80c93e84f1e3b5c82a6130f73ba8cc8e3ce435c98fe
SHA51224662a8e763b518a813aed61852119a5ff53e663ddb5373d0fed5ac0c4a11c1dd0503a816982a3c2125fc556287135596a3bc16191a26f894ff5743809359598
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
4KB
MD55d20914eaedc6f06a77535950f50fcb4
SHA16d51afccfbde62c03f79b4e0916933fc2421b9a5
SHA256e512ebb18d59f0a1a5c6ef9bf66f1e03e3f16ec07a0192de55b586f4a4b1a4e8
SHA512b94ad484abf725b94d9ec480e1a757a2fe6cf1cb255bb4fed902d505307ccde3db0edd7c26e39dab71f6858014934442794d7f17ef8e3ec5077c3f00fefaf6fb
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
7KB
MD59e8f828e06e36f0fa5f201b82e73c505
SHA1a49f2689868f1432fa0c5ca63c1b8d2d723946d3
SHA2567eea7d7ff1ddcf86c61d29cc03d111e3e919bc681172af5042b3c8333f4967a6
SHA51292957de1cbe4bb1e2faaf9a93ea526697d8f5408008aeb63cfe81a3bb14a81e604525e93939b4c678b39659244d4bf82de1642fe4796e156425291998cddd2e0
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
7KB
MD5e281ce576b6fa635d8b1f34c7e6aa66b
SHA1b1e1df09be5bffb8fa6958057eb7224b2c66a326
SHA256026dc0a115f4c5efeeacd1bd37ae9ee0d3c2da37433a4644f05d90df9d57d658
SHA512b14c11ee06613667c4f92cf711b3ff616a9bddeb2bcfc99f76f15392e2e1aebb40a7672636da957fdc60ce4e453b9c95968a3ae7d3c1bf62f9762c6e4ed748e9
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
8KB
MD5da8133f959ac3ef2f6f370a31ca6be50
SHA1aca895b09ff9ba16a2c0aeaf2b018ca0bdf68db6
SHA25604eea92e5ca7a504b931356a95074d49a7fe0e72c1e5d604e17723c2d8781e88
SHA51287e65cec82396a704b4b9ca419820bdd821794784d81ffe4a24b376977141f891f9749d75066b7f5ca4d5fa0517ca78c76eadbe5f59a6660ed5a6efe86b02454
-
C:\Users\Admin\AppData\Local\Temp\MSI5D2A.tmpFilesize
2.3MB
MD53bc82080d6356dae779eed5135fabf66
SHA1022c84f9cc59ec45315d78979497cd061658aba3
SHA256b076c9b888b130fb2fb5a74542c9a73322e78ed1f3f8476be7a8209a20e56f7b
SHA512041cd3945a22dcec792f45abc7f95b9fb7e68254948f0bfeb49de6b3501a0e13525454aa222dc4b903b3c9bafd4e0ffc2e5a99bd140238e845d3fcb7c496afbd
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
9KB
MD5ec7dce502cb59433c7119a55c4073d63
SHA1cf6707d8e3a6c1843ffb22dc7c9bce242e656c98
SHA2565314bb5aa378df4336f0d6167b47cc8edeac96539abbf84f1102f917544c3632
SHA5125fe688b04c7dd776ca5391465619a2a6a8c8c6f6b29b8e6c64b32f1f31db8dd24db5600580cc924d563167071eeeeb27f095f8e7cd603764bb054c004b67f658
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
9KB
MD5363c89d5672619d4d379ce7b30dc9a24
SHA1d8c7f0c5e8ca24306faaa39f16e6bac59adfb105
SHA256d2265b528e5d4ffbf16ea09a994118fd43f9ed1dcd999895b5476a1877a15da6
SHA5126e3f9a169edbf1bd997e9cec5e9f267361dc05e7f5bd09c7040665d590de25ec39b4b87c9383c7e5a1beb588a62f8fd92af7b55f68409fa5b0efcf544022cf27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\prefs-1.jsFilesize
7KB
MD5afccfb4444abf25d674cb116c8eee933
SHA125ec5e8773f3dc3de05d8ebd20f8dab6830e481c
SHA256641714f94ddc4aba2bc2bf16c2d1bb735e11f05c701168b3e3f8315262468444
SHA5129cbe1402f6e527ebf564ea96922d3dc82129df10d9511dd4867abb4d44ec4dae0ff3858345adb213f8c991038cee988fd0d390346b678eda2c15c74867d6ed1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\prefs-1.jsFilesize
9KB
MD5232aa8958450330bdb9354d3599df68a
SHA17610944d2b0f6e7cf1334bf262ae78a29d3027e2
SHA2564070ed44c53491ac663740a4ad72dcb101f497a1f92ae26690209857b32e92bb
SHA512b3caee3be9f20e7d317004894d9b9bd259920a8b42d0bec14fadb6d7095788af829aabe2cf84a898ff86b2d75c811a614a284213979977d5416c1ed23342a079
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD5028de3f9909a966f1efd2c892c2b3b2d
SHA136853f0d1833a668c22de140cca2d4ca21bf75d6
SHA256713a5c378702d6e258d62a8d5b050100c6601ef995069c1d2a719dbea0e31441
SHA512698fff338790c6313d9c4849ac47fe518f365c24411a06c841dcbcbbf64a7dec3667bfcf174bec0009910db9d5146d2c0f7cb31bf9aaf089e46be53935b5d04c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD57ae67dd7801f498e7488bd7b10a40f95
SHA193405951d7335f34a5747095c8717448222e82f5
SHA256567912239bd8cfa9ad2adfcc54945a2f2675f4c28f65c2ddf9b37fd494ed7247
SHA512a0d4fe6f38f9117ae53dcead4f91b594ccc9b9317f499605479b52e06592b4b22b26e317daad229bd2202bf80687c81765e0357a38cad227a4e10935452690e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7l3zro2y.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
1.4MB
MD506d83337225800c65ac847061fc07269
SHA1fe807c1c8ac51a85c4756848fa7168c078e5da70
SHA2562dacff5df7ca8f27f9071aae2967d055a92a13ce9a697d9a97f8b7e432423e69
SHA512dccc69bcc6c295f486951296a7a393ce5975aaa51838ed5dab4669d242f3fd0e44ab54268b97248f9ae0b2706c6b259147925b854f6e015b48d3c36b899ef8d4
-
C:\Users\Admin\Downloads\New folder.18c3hnsm.zip.partFilesize
32KB
MD565472579c8e30afd8d06574096252eac
SHA1d940b419dcb45b47848da0bf2f1c2b30d2e03127
SHA256f044f056528ae6ad6338538189b61d5d0f956ecd924921269d3c693b7a6d206a
SHA512d4a666ce36d81d4570771d45f03f68ed4619dada7d4883849b1712795f2f63e50f660fb3badb60b54c3d522120ba0cc1d4c8592d3b8137c3acdf83f68d086355
-
C:\Windows\Installer\e598a16.msiFilesize
13.7MB
MD5909db4061c32f798e94d746717782444
SHA110f5ffff17d2dd4476686a941a7bcc5f9b83b1b8
SHA2566ee98db32852a2ff31a969d918bb7c730950bb15f24ea1baf996697cebc8b9fa
SHA51244e7f97b27aef2e4cb62a6a0ebab5033b99e1ec940f231eda416f3b68d83df81d10950a8ced2ca528024adecd1dea7e1d4427e78b111edbc0124d7ffd6c1232d
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.bakFilesize
1KB
MD55919a4242a1fb169c68317d18adf2746
SHA14bc5e0bbba80f43fc5bda2d45eacab772fe8a302
SHA2567e5adb2f62eb88481057a6e469ed552b15beea681c3cc4ab37c96b458d1969ba
SHA512e2b7cdd9831e3e07887b9fce9b940845158be0c0e632705f318d12d21d785af7ec6e7c45cbd5675a024188bb7fcbb0adc28f317767aadb7ae4fb3d9f0c29ce48
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.iniFilesize
474B
MD5021fe647977de76c774a91ae5498ae1b
SHA15efebdda4abd483b0c8b9a4c5f509a65e658aa51
SHA256baa7a15f7f6f1e432a41911ba6bd02275f590f8c867a474151ee5baaa7b10d01
SHA51282ca59676f68d23cba150c2e3ea7be0e982d4bbeba94e394094ff4f01fad1af6eaff84beee8d0d633bbf3ef4578fd1bd8c7aeb3a15253cc69cc6f7b355c29e49
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.iniFilesize
474B
MD5c0cb4e2be2d62eb3c5cb5fae436d05fd
SHA179a85bfd6429a89a230ba05dc7803f9eea42c73b
SHA25652ca5c9618993a146d13b917833f4836976d569ba2c9034c9d8dbd47322dd915
SHA512609a381c082b9ef57281f9bbe841b7907e7a0127539781c81c43e938d546e168e03a6ff7165521cb534e8366cecffdfadd07164972926c39b2faf47ac5aa933c
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.iniFilesize
474B
MD530991227ac8dd440260c1dfb42866c82
SHA14f689e12d2e603ab4961afe6b733791388c8aab8
SHA2566298dec2ced0bfb3a3973f4b149ea8726dbb35a3c8b1b2969488fb4ed1de553f
SHA512c5d6e3088b816340214cd9663b2bb423df40b30e93961ed33722cea9ccb1a5cd624c0d83009aed5cd4f641498830afb1821461ffc24f4b94b4de1fe426522a93
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.iniFilesize
489B
MD5aeef4e6db0417cdc03475a21727b6e50
SHA1a2cfcbb386a2d2afdd705d1c328e32fe4cb70b18
SHA2560b3931cf03b5d4d769f28a6f386b6c1a4e7359da4003e2c6f4e8256c5eeb0942
SHA51213377f616f9e0c5177f3c915d57afa7df90c1f70300eba4ba4b7f4f35d1edf7626266c1492d8c4ab7bd83aa00e75ce3d51e5d964e3e508b5de6922ad8ca12bc4
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.iniFilesize
497B
MD5145371cd4e5bd241d1578db1f1da4104
SHA1e8759305544ed06ebf0845f46578d5a834b1c913
SHA256848f940a9a3ff923a38c6e0f73daf730de15de01f3bc18a30768a6d68c6ddc28
SHA512387793e1957de92f06ac8d63a4784aafea2977deb7116be2bf0f28cfc5120cca17ba4e95c57af72b23b53d80ae01bc2ddf608b051c3af9a4e9ffc7d1decc18a9
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.iniFilesize
497B
MD56f5ccde33c10c7a766ba9ef62ee297a7
SHA1ba60ebba7d617abbe5b8de4a67d8d8b88c54e8af
SHA256d174f3eeeedc77b351f43195f0b6667d9939c0d851fd0f3dcd6ab0c00ecc10cb
SHA512ad103007c7813e2d3624dcf22914242f79c9260ed571607b765136bc5beb7333a835d2427f9b694eecb77561da9615ed4fc3732ff93bc5f3a3727a233d6acdb7
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.updatingFilesize
7B
MD50f81d52e06caaa4860887488d18271c7
SHA113a1891af75c642306a6b695377d16e4a91f0e1b
SHA25627eb5e51506c911f6fc4bb345c0d9db6f60415fceab7c18e1e9b862637415777
SHA5127ccef1661d9bae2a1a219de1d53fea0e2441354e4e4c3e111f75bf926fb12c5b0e6e7824200cf65dfa5686216b9e67436038bdc69c7ea7621f3c67b481510cd7
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
3KB
MD5d9d9c8bea6dd5d7e113d3faee8c5e8bd
SHA1da5cb8c7d8f1d772f7319fbbd43a09fc1b93394d
SHA2568dd686c9e5a598f7ae7c04cae275c08dd2d791cd13d1922f583023beba3b1ef0
SHA512c5f2571c453fb786257d233594ccf89db8c2e67045bb7fba3b2fa730ce019bb3367b8b4d2a7bb05216e9ae5011504ac0841523b15c773fc3569575762c4316b5
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
4KB
MD55e537e218e3b56e882a5e00048894180
SHA1dae3ef2f9ff1116dda49545283cdd67dfc9a9ed7
SHA256bcba01fc19631ea48f9c86d156e4ac0dd6f2fdf3e4b61fdb9a858049d9aabcad
SHA51261dffb44bf68640a2b8ba2e3e96db49c8c65b67112a26d41db0e882a8a371bb266394b9389ca821b20de937ba16990cd76a6aec2e83dfbf75e3af16dcf2202a3
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
605B
MD579a8a7b0a26abb971b9c095eb9936299
SHA156deab98de6330093321b476b2149e2dfa6f044d
SHA2560d10ccc66dbe9c3d11e9e5c28cf196412e804a16a47a6143974cb245e672c4a2
SHA5129e1ef34663949c67697faf687fd908023ead5cddda6641815411f1fd7b61b531f0d7edd9137dff3fe3d99b61b2ef0cd6204af3abbff9c8897d7b1897ac1805f8
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
2KB
MD513eb820df82679ba30a90cdbaa01b4c3
SHA1d00ff8dce4f3abf4e05f454c9a47bf9d28ee46c7
SHA25633804fc92aa4f0f067f47f7d31890af0b919a78127f7ecc8a127b95ca8b467d6
SHA512630c14bf42e408e4df3995859619be7bbde985049971e00ecdd18a41fe36a7f088cf810968dd36b41bd324c6e961a3ca6be32788662ac8e76c4998a804de9688
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
3KB
MD5fb8bb7f8ffa59dd72e6500d0e57b45d1
SHA13e56ac3d9a413f46aad447619bad5e063918f456
SHA2565a66d9fbc88005a05f8fd4312c47e7a041f5ea324bee50139c169dde595e3eeb
SHA512d8f585574d009773d84ed921cd95bfbea960e3609b0d53bff2892858c6685be39b8caeac75af64fa0e8e24cf94d63c210b26eacd391a57feded9802cc6001884
-
C:\Windows\Temp\HamachiSetup.logFilesize
967B
MD5ad3c72f91004fe192cba6fb11612b60f
SHA16385d426680ea60d647136b884c67cbbda6e344d
SHA25600e80d467d818db41e6066ca846a3cce1d4bcb803c905159391cc6c212fbd6ab
SHA51211ae9733aad3b75439497ea9fb8a6bc3abc44d39ce43f3983a51de717eb6e1c71386a7a98aead40acbaf07c789d8459bd5aff8e4c64757a2abe3fa6d88833468
-
C:\Windows\Temp\HamachiSetup.logFilesize
1KB
MD5a8f39a7b8dfd0b9dca5fbae49548db2f
SHA1184de9b3a02731bf20d259f12c85c407a8208493
SHA256e79ca26fc480638be43b931e7419d260eceee449a225abffde9788d4639411ca
SHA512928ed1b453fa3cafeaea9cf3284a164c0a6cece88e58e17b26e7bece292daeafbb8f8c5a7174181b7ebbbfc9fc6e1c7a7913382c96a8573c8852aae131a8a838
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
12.8MB
MD5c2e80b405f124a3c1e9a669fb37c098c
SHA15611a5bc48e5ac4b5901096c543ccb5256348c79
SHA256a2b28013767ee65bb744e10efdee9320b4e40cc91831893ad2d86ce7dafe7da6
SHA5125d3710ac5cac7fefb0a3747a2b4220e1522c42a3e214448883ad9a403cbe5eb3aa5438963a106363db28e5482cdacaf3fb83a08ae35ea4a0c778f90ea9ee17f7
-
\??\Volume{056aaf7f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c35eab42-7b44-4974-8ef7-0bea3318f79b}_OnDiskSnapshotPropFilesize
6KB
MD512e438e51a1266fa3f92063dc0742392
SHA1f99a5a2ad48cb1c998218e4e8325b292ef87748a
SHA2562674e486a46d68f951fa1bde507cd818c3390a0bc2e6d0abf6c1f6827dd31e23
SHA512adacd3c0682543f659de400f0d6090efd94256f5dcb3a3e7aadc7e3c228207fdb2da02e8265ab3eae2fcc15d098bb1f9542840c0041b2ecf0162324cd528d1a3
-
\??\c:\PROGRA~2\LOGMEI~1\x64\Hamdrv.sysFilesize
44KB
MD57f79205b4efa98f0767309479c8c01c6
SHA19d546dda7536a85a3f4228e065967be1648ad901
SHA2564b576903a83f33a8cf31d3887144a3d51c56d1187115c83ac99c0e9f6b4bf128
SHA512418ac89f3c5996de50c846693995145e314d0cd7edee59f0cdc212720d84be1351827c7ab02e870d1940288f5c4838d39c77fbc9847b69ab5fce5d74400c19ca
-
\??\c:\program files (x86)\logmein hamachi\x64\hamdrv.catFilesize
10KB
MD5f49c69fcca067884f38e9cab20ba8920
SHA1bbe2113cfeb8b9a2234d97849c05c4a72b368a7d
SHA256e436ceef0126e703fe48bd669e3748e468b6f8027a8b6c2ae779f2911e65331c
SHA512e233dc261ea650d0cc01834591ba5c7e113daa23da7ada913c589ddff13c7d5b946da5f3f649e81de9afa664d0c4bf5b6fc921e359c252dee5132c8f584c60d3
-
\??\c:\program files (x86)\logmein hamachi\x64\hamdrv.infFilesize
6KB
MD5da79247b2ba817d655c2db44bdebff1c
SHA1fb62be8194096675dace18cd1217217ec2f85777
SHA25635e3427711eb7e0645d3f4ffbc3dd73b16e96ef1dc4c210db1f67229283f414a
SHA512e124e5bce81d09713b959a54da96ca7679b9880e69952faef360c7f0311a6d85a97d377281edbae22e61f7e3204847fb4eafd64a15aa97079bf9cda2cf1f0328
-
memory/1556-357-0x000002443B9F0000-0x000002443C4B2000-memory.dmpFilesize
10.8MB