quasar | hxxps://justbeamit[.]com/yem57

Analysis

max time kernel
443s
max time network
445s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://justbeamit.com/yem57

Score

10^/10

quasar office04 discovery evasion persistence privilege_escalation spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

10.240.115.45:4782

Mutex

2cc201c7-b02e-4a34-8806-aa9a8d33ae2d

Attributes

encryption_key
64024FEFC383421D2550E88D4DBE252B6BA53116
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/1876-177-0x0000000000440000-0x0000000000764000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar

resource	yara_rule
behavioral1/memory/1876-177-0x0000000000440000-0x0000000000764000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Drops file in Drivers directory 4 IoCs

Processes:

hamachi-2.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\Hamdrv.sys	hamachi-2.exe
File opened for modification	C:\Windows\System32\drivers\Hamdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETFCD9.tmp	hamachi-2.exe
File created	C:\Windows\system32\DRIVERS\SETFCD9.tmp	hamachi-2.exe

Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

1792 netsh.exe
5484 netsh.exe
2064 netsh.exe
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

pid	process
1792	netsh.exe
5484	netsh.exe
2064	netsh.exe

Executes dropped EXE 19 IoCs

Processes:

Client.exehamachi-2.exeLMIGuardianSvc.exehamachi-2.exeLMIGuardianSvc.exeLMIGuardianSvc.exehamachi-2.exeLMIGuardianSvc.exeLMIGuardianSvc.exehamachi-2.exeLMIGuardianSvc.exehamachi-2-ui.exeLMIGuardianSvc.exezerotier-one_x64.exeMSI86C4.tmpzerotier_desktop_ui.exezerotier_desktop_ui.exezerotier_desktop_ui.exezerotier_desktop_ui.exe

pid	process
1868	Client.exe
6004	hamachi-2.exe
6068	LMIGuardianSvc.exe
5868	hamachi-2.exe
5772	LMIGuardianSvc.exe
5416	LMIGuardianSvc.exe
6132	hamachi-2.exe
6072	LMIGuardianSvc.exe
6048	LMIGuardianSvc.exe
5516	hamachi-2.exe
5416	LMIGuardianSvc.exe
5532	hamachi-2-ui.exe
4852	LMIGuardianSvc.exe
5308	zerotier-one_x64.exe
5964	MSI86C4.tmp
2236	zerotier_desktop_ui.exe
5136	zerotier_desktop_ui.exe
5556	zerotier_desktop_ui.exe
5988	zerotier_desktop_ui.exe

Loads dropped DLL 50 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid	process
2956	MsiExec.exe
2956	MsiExec.exe
2956	MsiExec.exe
2956	MsiExec.exe
2956	MsiExec.exe
5180	MsiExec.exe
5180	MsiExec.exe
5180	MsiExec.exe
5180	MsiExec.exe
5180	MsiExec.exe
5180	MsiExec.exe
5716	MsiExec.exe
5716	MsiExec.exe
5716	MsiExec.exe
6068	LMIGuardianSvc.exe
5772	LMIGuardianSvc.exe
5716	MsiExec.exe
5416	LMIGuardianSvc.exe
5716	MsiExec.exe
6072	LMIGuardianSvc.exe
6048	LMIGuardianSvc.exe
5716	MsiExec.exe
5716	MsiExec.exe
5416	LMIGuardianSvc.exe
2956	MsiExec.exe
4852	LMIGuardianSvc.exe
5224	MsiExec.exe
5224	MsiExec.exe
5224	MsiExec.exe
5224	MsiExec.exe
5224	MsiExec.exe
5224	MsiExec.exe
5224	MsiExec.exe
5224	MsiExec.exe
5224	MsiExec.exe
5680	MsiExec.exe
5680	MsiExec.exe
5680	MsiExec.exe
5680	MsiExec.exe
5680	MsiExec.exe
5680	MsiExec.exe
5680	MsiExec.exe
5680	MsiExec.exe
5680	MsiExec.exe
5680	MsiExec.exe
5392	MsiExec.exe
5392	MsiExec.exe
5392	MsiExec.exe
5392	MsiExec.exe
5392	MsiExec.exe

Modifies file permissions 1 TTPs 12 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

4352 icacls.exe
5376 icacls.exe
2768 icacls.exe
4736 icacls.exe
2556 icacls.exe
4320 icacls.exe
1932 icacls.exe
5388 icacls.exe
4084 icacls.exe
2292 icacls.exe
1844 icacls.exe
908 icacls.exe

pid	process
4352	icacls.exe
5376	icacls.exe
2768	icacls.exe
4736	icacls.exe
2556	icacls.exe
4320	icacls.exe
1932	icacls.exe
5388	icacls.exe
4084	icacls.exe
2292	icacls.exe
1844	icacls.exe
908	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogMeIn Hamachi Ui = "\"C:\\Program Files (x86)\\LogMeIn Hamachi\\hamachi-2-ui.exe\" --auto-start"	msiexec.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

99 2884 msiexec.exe
99 2884 msiexec.exe

flow	pid	process
99	2884	msiexec.exe
99	2884	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 16 IoCs

Processes:

DrvInst.exehamachi-2.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB5.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\hamdrv.PNF	hamachi-2.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\hamdrv.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\Hamdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\hamdrv.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\hamdrv.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\Hamdrv.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\hamdrv.inf	DrvInst.exe

Drops file in Program Files directory 20 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
File created	C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianDll.dll	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianEvt.Dll	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi.sys	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\x64\hamdrv.sys	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\x64\hamdrv.cat	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianEvt.Dll	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\ReleaseNotes.rtf	msiexec.exe
File created	C:\Program Files (x86)\ZeroTier\One\regid.2010-01.com.zerotier_ZeroTierOne.swidtag	MsiExec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi.cat	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\x64\hamdrv.inf	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianDll.dll	msiexec.exe
File created	C:\Program Files (x86)\ZeroTier\One\zerotier-cli.bat	MsiExec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi.inf	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe	msiexec.exe
File created	C:\Program Files (x86)\LogMeIn Hamachi\hamachi.lng	msiexec.exe
File created	C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe	msiexec.exe
File created	C:\Program Files (x86)\ZeroTier\One\zerotier-idtool.bat	MsiExec.exe

Drops file in Windows directory 64 IoCs

Processes:

hamachi-2.exemsiexec.exeDrvInst.exeDrvInst.exehamachi-2.exesvchost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id.bak	hamachi-2.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.bak	hamachi-2.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-client.key	hamachi-2.exe
File opened for modification	C:\Windows\Installer\MSI79C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B41.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}\ZeroTierIcon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF0D4.tmp	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log	hamachi-2.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.bak	hamachi-2.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id	hamachi-2.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF7F0.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.bak	hamachi-2.exe
File opened for modification	C:\Windows\Installer\MSIF810.tmp	msiexec.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id.updating	hamachi-2.exe
File created	C:\Windows\Installer\e58ef50.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79B6.tmp	msiexec.exe
File created	C:\Windows\Installer\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}\ZeroTierIcon.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	hamachi-2.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg	hamachi-2.exe
File opened for modification	C:\Windows\Installer\MSI7C5E.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C00E2143-38F2-49BA-AB8A-03F22F02F0A4}	msiexec.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id	hamachi-2.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg	hamachi-2.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.updating	hamachi-2.exe
File opened for modification	C:\Windows\Installer\MSI7AA4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFF9.tmp	msiexec.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini	hamachi-2.exe
File opened for modification	C:\Windows\Installer\e58ef50.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8664.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8675.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58ef4d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF104.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF164.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20F7.tmp	msiexec.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-server.key	hamachi-2.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id.bak	hamachi-2.exe
File opened for modification	C:\Windows\Installer\MSI2069.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E35.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C1E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF134.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF379.tmp	msiexec.exe
File created	C:\Windows\Installer\{C00E2143-38F2-49BA-AB8A-03F22F02F0A4}\UninstallIcon.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI2A2F.tmp	msiexec.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.updating	hamachi-2.exe
File opened for modification	C:\Windows\Installer\MSI7946.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DD7.tmp	msiexec.exe
File created	C:\Windows\Installer\e58ef52.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{C00E2143-38F2-49BA-AB8A-03F22F02F0A4}\UninstallIcon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A40.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BEE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86C4.tmp	msiexec.exe
File created	C:\Windows\Installer\e58ef4f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79D7.tmp	msiexec.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

5452 sc.exe
6140 sc.exe

pid	process
5452	sc.exe
6140	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 39 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5920 5532 WerFault.exe hamachi-2-ui.exe

pid	pid_target	process	target process
5920	5532	WerFault.exe	hamachi-2-ui.exe

Checks SCSI registry key(s) 3 TTPs 54 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DrvInst.exesvchost.exevssvc.exehamachi-2.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a1a8d825d9cc14480000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a1a8d8250000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a1a8d825000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da1a8d825000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a1a8d82500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	hamachi-2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	hamachi-2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	hamachi-2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	hamachi-2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	hamachi-2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	hamachi-2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	hamachi-2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	hamachi-2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	hamachi-2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	hamachi-2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	hamachi-2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	hamachi-2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	hamachi-2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	hamachi-2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	hamachi-2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	hamachi-2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	hamachi-2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	hamachi-2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	hamachi-2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	hamachi-2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\hamachi-2-ui.exe = "11000"	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

hamachi-2.exeDrvInst.exeMsiExec.exemsiexec.exehamachi-2.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}\C:\Program Files (x86)\ZeroTier\One\zerotier-idtool.bat = "*"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	hamachi-2.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Caphyon	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}\C:\Program Files (x86)\ZeroTier\One\zerotier-cli.bat = "*"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	hamachi-2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	hamachi-2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

LMIGuardianSvc.exemsiexec.exemsedge.exetaskmgr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageDE = "\x06Ui"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\Engine = "Complete"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageNL = "\x06Ui"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\PackageCode = "BD8AE51CFD1484C47840D7F4BAD7E9BB"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E80E241A66716B4F9A16046F5141A90	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\SourceList\PackageName = "ZeroTier One.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\LocalServer32\ = "\"C:\\Program Files (x86)\\LogMeIn Hamachi\\x64\\LMIGuardianSvc.exe\""	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\ = "LMIGuardianSvc 1.0 Type Library"	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageFR = "\x06Ui"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2080292272-204036150-2159171770-1000\{D255327A-6E11-4A6F-AAA8-97C53EDE654D}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A88085CEF0E45DB40B2BDF188C30EE4C\zttap300_2 = "ZeroTierOne"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\LocalServer32	LMIGuardianSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ProxyStubClsid32	LMIGuardianSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\ProductIcon = "C:\\Windows\\Installer\\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}\\ZeroTierIcon.exe"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	taskmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{67E4A0D8-8675-4FBB-BC62-F10EC894327E}\LocalService = "LMIGuardianSvc"	LMIGuardianSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc.1	LMIGuardianSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\TypeLib\ = "{FAC58A4E-76CC-418B-8829-6DE882474472}"	LMIGuardianSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc\CurVer	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\ProductName = "Hamachi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\PackageCode = "6239770192D4C6D42AEA541CF631E529"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{67E4A0D8-8675-4FBB-BC62-F10EC894327E}\ = "LMIGuardianSvc"	LMIGuardianSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc\CLSID	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\AppID = "{67E4A0D8-8675-4FBB-BC62-F10EC894327E}"	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMIGuardianSvc.EXE\AppID = "{67E4A0D8-8675-4FBB-BC62-F10EC894327E}"	LMIGuardianSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ProxyStubClsid32	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A88085CEF0E45DB40B2BDF188C30EE4C\zttap300 = "ZeroTierOne"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc\ = "GuardianSvc Class"	LMIGuardianSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\TypeLib	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageHU = "\x06Ui"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\0	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\LogMeIn Hamachi\\x64"	LMIGuardianSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{67E4A0D8-8675-4FBB-BC62-F10EC894327E}\AccessPermission = 010014807400000084000000140000003000000002001c000100000011001400010000000101000000000010001000000200440003000000000014000b000000010100000000000504000000000014000b00000001010000000000050b000000000014000b0000000101000000000005120000000102000000000005200000002002000001020000000000052000000020020000	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\TypeLib\Version = "1.0"	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageTR = "\x06Ui"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E80E241A66716B4F9A16046F5141A90\3412E00C2F83AB94BAA8302FF2200F4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageHE = "\x06Ui"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageRU = "\x06Ui"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\Version = "33751040"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc.1\ = "GuardianSvc Class"	LMIGuardianSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\VersionIndependentProgID	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\0\win64\ = "C:\\Program Files (x86)\\LogMeIn Hamachi\\x64\\LMIGuardianSvc.exe\\1"	LMIGuardianSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\HELPDIR	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ = "IGuardianSvc"	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\TypeLib\ = "{FAC58A4E-76CC-418B-8829-6DE882474472}"	LMIGuardianSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageNO = "\x06Ui"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguagePTBR = "\x06Ui"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguagePL = "\x06Ui"	msiexec.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 180415.crdownload:SmartScreen msedge.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

408 schtasks.exe
3964 schtasks.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 180415.crdownload:SmartScreen	msedge.exe

pid	process
408	schtasks.exe
3964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exetaskmgr.exemsedge.exe

pid	process
4924	msedge.exe
4924	msedge.exe
4840	msedge.exe
4840	msedge.exe
444	identity_helper.exe
444	identity_helper.exe
2240	msedge.exe
2240	msedge.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
5900	msedge.exe
5900	msedge.exe
5900	msedge.exe
5900	msedge.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exeClient.exe

pid process

3148 taskmgr.exe
1868 Client.exe

pid	process
3148	taskmgr.exe
1868	Client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

Processes:

msedge.exe

pid	process
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client-built - Copy.exeClient.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1876	Client-built - Copy.exe
Token: SeDebugPrivilege	1868	Client.exe
Token: SeShutdownPrivilege	2884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2884	msiexec.exe
Token: SeSecurityPrivilege	3096	msiexec.exe
Token: SeCreateTokenPrivilege	2884	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2884	msiexec.exe
Token: SeLockMemoryPrivilege	2884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2884	msiexec.exe
Token: SeMachineAccountPrivilege	2884	msiexec.exe
Token: SeTcbPrivilege	2884	msiexec.exe
Token: SeSecurityPrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe
Token: SeLoadDriverPrivilege	2884	msiexec.exe
Token: SeSystemProfilePrivilege	2884	msiexec.exe
Token: SeSystemtimePrivilege	2884	msiexec.exe
Token: SeProfSingleProcessPrivilege	2884	msiexec.exe
Token: SeIncBasePriorityPrivilege	2884	msiexec.exe
Token: SeCreatePagefilePrivilege	2884	msiexec.exe
Token: SeCreatePermanentPrivilege	2884	msiexec.exe
Token: SeBackupPrivilege	2884	msiexec.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeShutdownPrivilege	2884	msiexec.exe
Token: SeDebugPrivilege	2884	msiexec.exe
Token: SeAuditPrivilege	2884	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2884	msiexec.exe
Token: SeChangeNotifyPrivilege	2884	msiexec.exe
Token: SeRemoteShutdownPrivilege	2884	msiexec.exe
Token: SeUndockPrivilege	2884	msiexec.exe
Token: SeSyncAgentPrivilege	2884	msiexec.exe
Token: SeEnableDelegationPrivilege	2884	msiexec.exe
Token: SeManageVolumePrivilege	2884	msiexec.exe
Token: SeImpersonatePrivilege	2884	msiexec.exe
Token: SeCreateGlobalPrivilege	2884	msiexec.exe
Token: SeCreateTokenPrivilege	2884	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2884	msiexec.exe
Token: SeLockMemoryPrivilege	2884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2884	msiexec.exe
Token: SeMachineAccountPrivilege	2884	msiexec.exe
Token: SeTcbPrivilege	2884	msiexec.exe
Token: SeSecurityPrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe
Token: SeLoadDriverPrivilege	2884	msiexec.exe
Token: SeSystemProfilePrivilege	2884	msiexec.exe
Token: SeSystemtimePrivilege	2884	msiexec.exe
Token: SeProfSingleProcessPrivilege	2884	msiexec.exe
Token: SeIncBasePriorityPrivilege	2884	msiexec.exe
Token: SeCreatePagefilePrivilege	2884	msiexec.exe
Token: SeCreatePermanentPrivilege	2884	msiexec.exe
Token: SeBackupPrivilege	2884	msiexec.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeShutdownPrivilege	2884	msiexec.exe
Token: SeDebugPrivilege	2884	msiexec.exe
Token: SeAuditPrivilege	2884	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2884	msiexec.exe
Token: SeChangeNotifyPrivilege	2884	msiexec.exe
Token: SeRemoteShutdownPrivilege	2884	msiexec.exe
Token: SeUndockPrivilege	2884	msiexec.exe
Token: SeSyncAgentPrivilege	2884	msiexec.exe
Token: SeEnableDelegationPrivilege	2884	msiexec.exe
Token: SeManageVolumePrivilege	2884	msiexec.exe
Token: SeImpersonatePrivilege	2884	msiexec.exe
Token: SeCreateGlobalPrivilege	2884	msiexec.exe
Token: SeCreateTokenPrivilege	2884	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe
3148	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Client.exehamachi-2-ui.exezerotier_desktop_ui.exezerotier_desktop_ui.exe

pid process

1868 Client.exe
5532 hamachi-2-ui.exe
5532 hamachi-2-ui.exe
5532 hamachi-2-ui.exe
5532 hamachi-2-ui.exe
5556 zerotier_desktop_ui.exe
5988 zerotier_desktop_ui.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4840 wrote to memory of 2256	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2256	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 2900	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 4924	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 4924	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe
PID 4840 wrote to memory of 1224	4840	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justbeamit.com/yem57
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd15c846f8,0x7ffd15c84708,0x7ffd15c84718
2⤵
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
2⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
2⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:2180

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
2⤵
PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
2⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
2⤵
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
2⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
2⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6088 /prefetch:8
2⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
2⤵
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1
2⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
2⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
2⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
2⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6708 /prefetch:8
2⤵
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6944 /prefetch:8
2⤵
- Modifies registry class
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
2⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
2⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
2⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
2⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
2⤵
PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
2⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
2⤵
PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8
2⤵
PID:5620

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\ZeroTier One.msi"
2⤵
- Enumerates connected drives
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
2⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
2⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
2⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1772 /prefetch:1
2⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1
2⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
2⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
2⤵
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
2⤵
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:1
2⤵
PID:6044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
2⤵
PID:5792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4204

C:\Users\Admin\Desktop\New folder\Client-built - Copy.exe
"C:\Users\Admin\Desktop\New folder\Client-built - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\New folder\hamachi.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E4E0E7C115675A375F9725AF39CA839B C
2⤵
- Loads dropped DLL
PID:2956

C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
"C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --ipc-timeout 30
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5532

C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe
"C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe" /escort 5532 /CUSTOM Hamachi
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 2628
4⤵
- Program crash
PID:5920

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4080

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EA63BAAB7F2B4B25762B7DD0C79879BD
2⤵
- Loads dropped DLL
PID:5180

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1CAED7153F369A9B5A1076DA2A9ED6AF E Global\MSI0000
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
PID:5716

C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe
"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" --add-tap-at-install Hamachi
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:6004

C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe
"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 6004 /CUSTOM Hamachi
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6068

C:\Windows\SysWOW64\netsh.exe
netsh interface ipv4 set subinterface "Ethernet 2" mtu=1404 store=persistent
4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5408

C:\Windows\SysWOW64\netsh.exe
netsh.exe interface set interface name="Ethernet 2" newname="Hamachi"
4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2768

C:\Windows\SysWOW64\netsh.exe
netsh interface tcp set global autotuninglevel=normal
4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5840

C:\Windows\SysWOW64\netsh.exe
netsh interface tcp set global rss=enabled
4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5400

C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe
"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" --config Hamachi 25.0.0.1
3⤵
- Executes dropped EXE
PID:5868

C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe
"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 5868 /CUSTOM Hamachi
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5772

C:\Windows\SysWOW64\sc.exe
sc config Hamachi2Svc depend= winmgmt
3⤵
- Launches sc.exe
PID:6140

C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe
"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" -Service
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5416

C:\Windows\SysWOW64\sc.exe
sc config Hamachi2Svc depend= winmgmt
3⤵
- Launches sc.exe
PID:5452

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7B55FB475A5BFE3782C7AA09C2FCBA05 C
2⤵
- Loads dropped DLL
PID:5224

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CA9A2D5394F421146AFC57F2D75E0C09
2⤵
- Loads dropped DLL
PID:5680

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FE4AFC8453084C0D5D8F3EF729C3E316 E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5392

C:\Windows\Installer\MSI86C4.tmp
"C:\Windows\Installer\MSI86C4.tmp" /DontWait "C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe"
2⤵
- Executes dropped EXE
PID:5964

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:3148

C:\Windows\System32\jatns2.exe
"C:\Windows\System32\jatns2.exe"
1⤵
PID:2000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5340

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "c:\program files (x86)\logmein hamachi\x64\hamdrv.inf" "9" "42b53aaff" "0000000000000138" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\logmein hamachi\x64"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5376

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:db04a16c4ff220c2:Hamachi.ndi:15.28.40.464:hamachi," "42b53aaff" "0000000000000170"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
PID:5644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:5380

C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe
"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" -s --get-config
1⤵
- Executes dropped EXE
PID:6132

C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe
"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 6132 /CUSTOM Hamachi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6072

C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe
"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6048

C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe
"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" -s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5516

C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe
"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 5516 /CUSTOM Hamachi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5416

C:\Windows\system32\netsh.exe
netsh interface ipv4 set subinterface "Hamachi" mtu=1404 store=persistent
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5484

C:\Windows\system32\netsh.exe
netsh interface ipv4 set subinterface "Hamachi" mtu=1404 store=persistent
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5144

C:\Windows\system32\netsh.exe
netsh interface ipv6 add address interface="10" address=2620:9b::1920:a7c0 type=unicast store=persistent
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5256

C:\Windows\system32\netsh.exe
netsh interface ipv6 delete route ::/0 "10"
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4300

C:\Windows\system32\netsh.exe
netsh interface ipv6 add route interface="10" prefix=2620:9b::/96 store=persistent
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3760

C:\Windows\system32\netsh.exe
netsh interface ipv6 add route ::/0 "10" 2620:9b::1900:1 metric=9000 publish=yes
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5532 -ip 5532
1⤵
PID:5152

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:6036

C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe
C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe
1⤵
- Executes dropped EXE
PID:5308

C:\Windows\System32\netsh.exe
C:\Windows\System32\netsh.exe advfirewall firewall delete rule name="ZeroTier One" program="C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe"
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2064

C:\Windows\System32\netsh.exe
C:\Windows\System32\netsh.exe advfirewall firewall add rule name="ZeroTier One" dir=in action=allow program="C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe" enable=yes
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1792

C:\Windows\System32\netsh.exe
C:\Windows\System32\netsh.exe advfirewall firewall add rule name="ZeroTier One" dir=out action=allow program="C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe" enable=yes
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5484

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\authtoken.secret" /inheritance:d /Q
2⤵
- Modifies file permissions
PID:1932

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\authtoken.secret" /remove *S-1-5-32-545 /Q
2⤵
- Modifies file permissions
PID:4352

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\authtoken.secret" /remove:g Everyone /t /c /Q
2⤵
- Modifies file permissions
PID:5376

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\metricstoken.secret" /inheritance:d /Q
2⤵
- Modifies file permissions
PID:5388

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\metricstoken.secret" /remove *S-1-5-32-545 /Q
2⤵
- Modifies file permissions
PID:2768

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\metricstoken.secret" /remove:g Everyone /t /c /Q
2⤵
- Modifies file permissions
PID:4736

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\identity.secret" /inheritance:d /Q
2⤵
- Modifies file permissions
PID:2556

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\identity.secret" /remove *S-1-5-32-545 /Q
2⤵
- Modifies file permissions
PID:4320

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\identity.secret" /remove:g Everyone /t /c /Q
2⤵
- Modifies file permissions
PID:4084

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\controller.d" /inheritance:d /Q
2⤵
- Modifies file permissions
PID:2292

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\controller.d" /remove *S-1-5-32-545 /Q
2⤵
- Modifies file permissions
PID:1844

C:\Windows\System32\icacls.exe
C:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\controller.d" /remove:g Everyone /t /c /Q
2⤵
- Modifies file permissions
PID:908

C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe
"C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe"
1⤵
- Executes dropped EXE
PID:2236

C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe
"C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe" about 1.14.0
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5556

C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe
"C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe"
1⤵
- Executes dropped EXE
PID:5136

C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe
"C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe" join_prompt
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Component Object Model Hijacking

T1546.015

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Component Object Model Hijacking

T1546.015

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58ef4e.rbs
Filesize
23KB

MD5
5956ae89f43469262501346b95349600

SHA1
7e38e42e87da922158b0babcc2eedb3a86e18ae0

SHA256
7649cf6e58a7b1e98ba8b4c303daa3e661fe4d9bf0f0c053f92b2e1db7931676

SHA512
53531a926e3bf10558f4d1fb444ea2d95c362ec98702166aeda08e59886ad90440406f8472e3fd8a0cadc3b17ac61692f4b49cac17e6daaaccbea1601905175b

Download Submit
C:\Config.Msi\e58ef51.rbs
Filesize
2.8MB

MD5
4880d687ff243ed21deb86d2e3915266

SHA1
31578b9c050e8751e725cd82b0b25c71ece7d593

SHA256
053cd55bb969dee91bb461ec22aab4f0addd3f656e97a2f34e4fee3a07a049d8

SHA512
59fbb95b864fa8020a7582ec8f24be6449f5662cdf96fd5c2fc79e1076f2a5c1d88ce1acd993bed01de7b2827d54893a4c37fd018935757ffe6a9d2541233ee5

Download Submit
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
Filesize
7.5MB

MD5
f33e0de70dba0f3230e1cf3f718b9648

SHA1
ed831d88ce5cfbe959f9e0fdf9488c7bfbe98958

SHA256
7c504514fe975002ce3ee60562c865397633e147aec1a0a68f32edf018b89742

SHA512
beb455bc3e8641c000782ee41f5e0ff254c43459005065e95355d4a152a20245a559ae1ce26f8afce94b5be5bd2f116550f7df82f2dfefc7d8de11c6067da730

Download Submit
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianDll.dll
Filesize
2.0MB

MD5
df7051274b6080da5298c61decad2fdf

SHA1
33168489e0704cba116af5417f66f99e5c184abe

SHA256
bfec06ad20dddb565fea958c273dea14cd510f24be57e8f56d35168632a81875

SHA512
506ca6cef3bd7fd8f56e934c97d4e791e330fff492d89575ce40f0123fbffaf3010f9637af3fed997bc0d642b3027d767bd93efe6c37a06b40ba0dc354a994b6

Download Submit
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe
Filesize
409KB

MD5
0554f3b69d39d175dd110d765c11347a

SHA1
131bc6ca3960476e16fbaad091d26e92f2093437

SHA256
a57d5ce0cba04806eb0c6d8943d85c5ab63119a99fa8f8000bdf54cccd1c1bf9

SHA512
0ebbcec7337387cb7b59a86f80269925f369112d3a9cd817fc9de5d7c978a52665ad3bd6967a8f2b36765974f808e51d8dd59fd1e80149fd5a5de4d987833f06

Download Submit
C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe
Filesize
4.7MB

MD5
493510f5eb2c49efea54e58a83677e13

SHA1
14ec94b796cd426c001840421c4ce43750cefd2a

SHA256
199febb05fff1cca01f7f7672be99d9d0ee73b0371bd63513635dde133f3e2cc

SHA512
85b92ca63797ae5303557dc1d6771acb4bc09ddd2f3391614a3f40b2a3604b6c63566b44beb8c65da3436edad44c90b401f8b220f5fb921f287970e50438fe87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize
471B

MD5
76ee0d6269ef4316fde97a721fc7b86c

SHA1
510dbe93dce5205b47bb6f5d5735479cc1c1b019

SHA256
3e0084137ce0f989f85763cd47afad018e93dfe939187a35ece1e909333fe124

SHA512
5da30c5c740ef5ec55efac7cace20a15a2f619d597e58aa9179962b32b0b4cc40d1fa317db3ad68e98abebec66ea441a8daa7a9c661a13cecdc3c569e2f6f542

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFA
Filesize
727B

MD5
5a324e98de8b7b4ff27373ee026fa151

SHA1
2fc865db95881573bd59376d8e42bc0e7becafc8

SHA256
ffdcb460b9b7101e819f5e62812459292935df36e952d2e7600ee553696eba88

SHA512
1c812dea8a14063e63bad96be61c16c91516123c74e3a383fd4c9cd5f881eaa3a2d6775c0c5f7f30bf3f25b2ecfd3537e74aa46191d46fc6a15f91168fa07680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
727B

MD5
3d1d225e6cbe0f0cb27fbed1f2d787a2

SHA1
4a9c9ba04a020f0dd4cab27c05996208870f92ae

SHA256
22efc5a1b57278450df3bc9ac027c371d73389a72d081efcef3868c28c31c094

SHA512
4467f9dcd92d22d76d61fecbf95b630e4739f665b778a5faa94c250a23bf1fd1c0c2dce9714b53a09da820ccc2d6cc3a0283bbd5539c40266366a7e733fe845c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize
400B

MD5
a92b3581d0fe24c64748d058fb56c876

SHA1
cbe93341d602a9074dd0eb1d2a8e652ca995803e

SHA256
37ffda1c332da171db6403f2a38690d6ccd017f0fc8a524266eb721083c1ba9e

SHA512
2d0a36645daeaf928277bbc42d8089988a271f6634edf89c12b60441d5092e573c325196651928ccfccaa0faed81bbad06bd9380209e71d5fbf97a2564361fdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFA
Filesize
408B

MD5
aed55f795f81ce26eea54fc926dbbf60

SHA1
ec287ebdea68fc8b9db32f0c644db39c998240e3

SHA256
c5e7591714303780a45664fbf2e9e8ff365acb058e82a765f6b4777ac5b99b53

SHA512
a6a0d21f26d9ef4b96929c9480a75cd9c389c9f510fcf21030595b51e732158b7d3c0db844538f839532ef2fe801090734d808b1c7c034b123a4f223f3d83ebe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
412B

MD5
22ed2b6b0f3fb03ceaf748779ebe8520

SHA1
32691c6aab518c03a3df615d47359ea8ba2f58ca

SHA256
bdb4de6e3a9978d6076bbbece9f636c35a06e4dc699590cc2c803d15ab2103c0

SHA512
f3097c20c5f35c8f84811ba3d04d9a4c0f31522622203334bf4b326571367505ae0dd2652e2b11aee6be616253439563f5e031d656adfc29e5fc25fc0fdecfc7

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.log
Filesize
178B

MD5
f09f1e5c5c0d4d1a47782a14fb80f88a

SHA1
d417f1113c2e5683538585c01bbc213b85f49b56

SHA256
46a9b1ee2520f8f1c9b51c1682d3a4715c1865594783d1200d7d2607bffac4a1

SHA512
21313ea338d3b10c4f55bdbad8f1c7479d1a50c2d9ec1225163bda1a1fecde2e652b5ebc271a10ca45af3c2619e349371ccddafbf77cfa79c255835cc0b3a959

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.log
Filesize
343B

MD5
050b662de562724e2e970c6b1fa54f2c

SHA1
bf66591dd1acc6148a2385cc09097ef80cf97e08

SHA256
1ae15cdc54a53fcbd7c47dfbc2ab33a5820cbefcf49f05f6c479b02791d7a97e

SHA512
30ef3772b7925538b233543004542e2f656f20df64e8d2f052d25700e2060c49cfcafae4bbb4976ab725ef6b1ec1906a004b1790b883246260bc0db93680f260

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.log
Filesize
1KB

MD5
90e05b27b7ac8417d5b1b8bbded48303

SHA1
3448b3a4106395527140425322ee40edb98e6543

SHA256
4ec047e04a3f83f258757ee2aecd1e9b4bc34f7b74ba4da88f2b777ba09631b5

SHA512
46cf8db16bfbcdad515c55824c90c3335132b880815a5ac4051e21e31e5e93c36b2db89395beffae4de7341091485af2b4a06f20fc29e52e4be33fc499e4c1c0

Download Submit
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.log
Filesize
1KB

MD5
768075c152c2dbc698a8cfdacf235b5a

SHA1
bfad06f6b854a21911f770ed3c96ebdedb0370ae

SHA256
9d0dc8cc12b5c389d51ff17bda32fbdc8a6c78d92944ea4ec00f527e4c72f1e1

SHA512
d5e2ffd5fec8e5274e6ced7faea45cfa7d6117987a8aab53562e9c8d810a6aeef9dc75532ce8d98df6a8550160cbbf70a8e00e98f65666da80127d9aafde4dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
Filesize
67KB

MD5
9e3f75f0eac6a6d237054f7b98301754

SHA1
80a6cb454163c3c11449e3988ad04d6ad6d2b432

SHA256
33a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf

SHA512
5cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
Filesize
41KB

MD5
b15016a51bd29539b8dcbb0ce3c70a1b

SHA1
4eab6d31dea4a783aae6cabe29babe070bd6f6f0

SHA256
e72c68736ce86ec9e3785a89f0d547b4993d5a2522a33104eeb7954eff7f488a

SHA512
1c74e4d2895651b9ab86158396bcce27a04acfb5655a32a28c37ee0ebd66cd044c3c895db7e14acc41a93db55463310425c188a7c503f0308ce894cf93df219f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
1.2MB

MD5
620dd00003f691e6bda9ff44e1fc313f

SHA1
aaf106bb2767308c1056dee17ab2e92b9374fb00

SHA256
eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586

SHA512
3e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b
Filesize
36KB

MD5
62fd1704573f0a1ae4c7db83f9f5b470

SHA1
09d03a37492cfd0580ed3b819386bbc4ff64d960

SHA256
3b14ad4d4df0e681fd5aba556473e39e52b31ab98f51dc3db4937bb641a6d667

SHA512
c8108393f8bb91c018ee06ad51d746a33e24ad9041d5cd84792e4c59fb55639b8042ed5c1a424b47263652182ceafe516d0b6adab147e33bbf261d6aee1d3f84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c
Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044
Filesize
4.5MB

MD5
8452749161e316d452945207218f3af8

SHA1
d214450a4a87838a49a65172ca5c121a08dd865d

SHA256
b10427e55547ea180a36def8bbb6594c535a8b7f1c4195f401dafaa9b0989e02

SHA512
62e4e072e0349609dc6a7c79844efd9a3e3cc52c7e6b2f7a7bd4ed8ddded44e85875b78f62278ded1c70669c342997fabc084063bfd6bc9e5f6f750cd94c5e25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
312B

MD5
0e15379740eb3f0808caf5978445955f

SHA1
81c863286bfe3a9f65e8d15e94aab455aa54d64d

SHA256
8a8ade9deb4fb4f9b8451b9155812c91e097cda9695abdddafd34817ed7dfaa6

SHA512
9d308438b82a809a9c416c53af47e57cc682b342977197667211759614629a83367a7a2314dfb6ce40ba9d6e9bba7ccd27c0620863e8d2c83cfb0b7e45551150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
6f141edf518583b6965b8f8e1f9e4b10

SHA1
16d1fccdaa5e5f5bf3aebe4fafe2e25d7b32b639

SHA256
f23da2206c6eac1555bcc3c2a87a3e784251c96822f2fa0cf482454fa4c6eeb4

SHA512
b71c4a397339ac19f0876d76bf8db9da4b9d8b7fdca0187912457a8b18b77209809a27ef4860385285c0f81f2581392aefdbf855914df47fa364ad2d4912d193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
d662f40905b24041c9c62bffed8132e1

SHA1
30a40922e8c2eaf59b9e1f7f957fcc98c19dc6bf

SHA256
ccd44a03103e2255c35c4e9568a16d2502e4be439268dcaf8a29b2e78ae542d5

SHA512
07ff0db9421305752fa6f4a2cf60535e06d157c28d18b45ce7d0024d645a47b16eaa1a06b8656dcd7272361b7013bc78fb9eab1c23ba91c5ac7907e33e8da5ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
0e456e75a40f73bb43acb9931281ca97

SHA1
4890f66670ad6ade7905dd363fe3ba713bb231d8

SHA256
9096b8f791eade5b05871ec655b7731d65107d9cf100c0bb01ef130955851742

SHA512
38ceea01a0c6f59992da5f532bc9608a13520abc0c1d95c7dba1a5cd769535a4c08cfbb27710790b1ab7a8adc6bef1227ae8b4ae383810bb66d5f72d1cd08c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
c8184b13561b9a1d97cbc5b5864816fa

SHA1
c01127d2409d3e1e46b1593a2fd9fe23d97604d9

SHA256
290ccae6a7021b8bdb64255464dcef2388856305d10367593db04e9bac98df78

SHA512
245829b886d6572c7de9fdffdf02ab5c9cd4f50930aea7992e6fc1b75217e7351fa40a3e4050013537c303ffe187b828db2c04e3a1c3a149657ba64834a1092f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
0372ea25967cccab9deffa259502d5c3

SHA1
c8035ae2478fc4008027194de6d98140dd30f420

SHA256
4f1c7cdb783600a5c7f7b6632bbf2a21ef0fe18e9b4f9b665732b8ccc18f7466

SHA512
ec2feabaf51f4392307724ef7673e548eb9f71b6adcc2687d0a3ca02095979930f3399d8e88508a50d9053b08c69d4bbd0d88e231a5387ab8218acb2e6a3c4aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
b93373c0aad8b8d4cdd91589b0ffd9f4

SHA1
1e0421176e46d89c3ed97672d02316b450397181

SHA256
27c6e8e35fe15f6ce078ddd7c43a7b56938f4cd587985295324cb7aa1e2aba59

SHA512
778553ce528fa5b4b6b9a67867faf8143942ca293c73efed218aad0710126dbb56b0233e7ee7caa7c1a484cc6a670b1709565a08d4fb06195c6119da31546998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e1b5248eaedc8e40578c8dad5bee66d9

SHA1
fafa2a1a1cad143a4879da39fdc8cd0771d3f10f

SHA256
9acbaff434f8476699fa2c8355fce2df1d262983fb5aef9d0a22ae74d4d87dee

SHA512
eb81aa8bfcdc0605c98347866c6d9cfae7c3e5f069213e7ec40f1d89249aefcb23d1c44a808ff720d2014da71ac713cbbcb0e4d6497d6cf4541e0ceef14ac2aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
370ce242efb38b0cfc3d0c0f01dae995

SHA1
c268ea9de6eb8e9ed2610ec81e53983d2f7a8bf1

SHA256
cb8ef3fee77fba49c028f43a4326da2b176f7ae34bdfffc1640e8d46fd2728b6

SHA512
05a4362ae6da6f258be6f53bfc09e0735aba40ff7b3b3f324ce1610ab277d8a03bea26b6a16103f7628619aab1f08bdddaf8f6751846c8108d4314bedf7f4bcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0f95156070cdfbe20f7f5a5459c84c26

SHA1
de5da74445315f0bb68dd3ce9b15ea63c4352d1e

SHA256
75839f42b3582d08e57dd8a22f4fbd68f76fad01b799cf659344c78f09931d39

SHA512
864b22729d92330b69450e3a0c89891956f06b1aad1ddd0e2e5e12d32b31246cd48a9849476a0d679ec732eade0b1de5582c16c717e2f322f0d0e2a6e82d20e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
ce609bdce10c06cda1719aaf94263db0

SHA1
33629b7828d47491cbd019a029425ba919e4445a

SHA256
df9eb89850f0663ce9f8b9b4cd81563b1b55ccec3f8132d5a001b173977ed2f3

SHA512
fb1223c99629b1042c785f1a130c0d3c136f8f902bd7a3a31c9171b5f289e6102d84fa4a7d31ef1fdc78bb70bdcbdd82156b21c57f79bb414a19fd04dd952aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
00a008c22fd6ae6a555ebb61232fbef9

SHA1
36a7d01302ef291939cd5cbae7ebca6b5c091895

SHA256
70eabf4d274d3c29ae2ad17236e4061ae1edf3fe710ad0af5ef2d0c3a7928aad

SHA512
5dd29769410704e4dbf1899c809b00ad7ad04656b28824833566baf630c380070a016adb3cc87ea71dcaba9af359b10ec80fdf7efa90c5ba1a8c7117365a06e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
debe963af13846691fd0d2162c28537c

SHA1
d528aa894aa7cf23265373832489333bfb4f40ec

SHA256
f453513fa4a6833eb28f98c8ea1825e54200f7dd0452cab4a7f2df60348a50e7

SHA512
a7202e8787470bb35b38fa53b319c16a88150697eb054f739e53c27f33c48ac0a319fc99d26d3514435bef415d5662df5ef541e137092743857fdf831da34e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
66464068b6f36e0cb88ed8572807696b

SHA1
ef0bd512b8ad26eafe8d61a43f508ec1214de5e9

SHA256
246eaa154835f8adac7246f5e0427d4f45331bdcd978c9070bbf79091e840cc4

SHA512
6e265c3405f6b40b32598c8bf882f43304bba4b2bbc22d6af4bc7cf9023bfdba2e8813cabc7b8545f499a882d3025a013520229da73df101280723a3de184080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
61a87aef8f76677eba7c934c3492df12

SHA1
5c9d0ddb2e43463e7d0171e3cf1112a54db190e5

SHA256
bad1193bc8e4d4ba9a956e498679b67c17648eb63fe0c0510703b36815e2d4f5

SHA512
4a2d56d4c7d208db9fb943130cb276c8f11f80ba86d10b199f303b57f1b1c7d72cdb3f86b9d256a19b9cf80d416700309dd3d62c67b16a08bbfc33d1c7e900be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
c2c2ac648e8af501dfd4d86f0e511c67

SHA1
0dbc60e74df31350b4836771d22dc8cdcdb63583

SHA256
eb7c3027611adbef99aeb72ef3d8f81d73fe0d28b48bf59d27dc88279ec279d7

SHA512
8db6f8b0d00afb38e4b757941870634e37dfe44c5a13c1f8622379c110340f4e113ea029d135d6344dd4daa8c7ef8a0db59bb204f6c2f2d9f25638a6134a8a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
706B

MD5
8f7b9568420775866206f017f715fcfc

SHA1
1f0cd9804ed3f1d57ffdba4603ff4e32842b6440

SHA256
ded5c17361cc4f585867edf775be2ddec81ea467339e5973f9e52e41589420b4

SHA512
3088e3a36a98ab6098dea18435a30581139245989708e720558a46626346f45123cec8f1d57d582961e14534b54323b9aff8a0c648957edf954213a69154fb99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
724d5408155d3bb34d8521ee630a7f62

SHA1
2f1e3ac66a340f46932842dbcb13b360c2cd7c29

SHA256
4db09ca9f7687633cba7e4499fe1d694c03d35254a1debd414a696ebf83dc708

SHA512
116e94be5bd57ba05008d6af3d7b83fb8729f480c25bff537b492a235e357ff950e5fbfa6e56d24675d305795a9c3d127d4ffa32a95c6108ee7c71588d75aeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
29e20e7cd57496b7daa1d09f1407533c

SHA1
036bc5316c8716cb61408cfd69942c621dc48a77

SHA256
8c253007e85cbcc88ed29df98fdfbdf36fa4d2fff25d44eff3862fe7fc13cb1b

SHA512
d1178efa96c8019b64a9e58b55fc6e2a213833761fec61fa59a404308f1b64d5f463a20632cacc101517fdcfa21fadec4c3f15e51168cb5fa7087225e6150d01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b2d5.TMP
Filesize
706B

MD5
c713d44d4f899a8f7a6edda966dc43e6

SHA1
d1fa689dc438cc848ccf996224a0cccbf20ca7e3

SHA256
cdb6048993be9e36663a7ef64c1552556dd934b980f39f42c8ca0a34b2b9607c

SHA512
506bd0c1a0ffd964102ec6b82a8da7c4e0178117f8fbf3800e80b6af7b84cfb895a4ef57acf6eca5ae7837a51ba3ed923212018344913e336f9e2612236a5c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f4851f01-a0d7-4b8a-b5b4-fa56e35b5bec.tmp
Filesize
6KB

MD5
f257059563c4d36508352b06113a5ce6

SHA1
d3755693823440b529a0733482bd696a2f08a533

SHA256
26fbf1bb289fce61aabc696efef85bad1f110d7e36ca9fb50326c4ee2c5f3207

SHA512
5120261ee79f49f5defb05e2ae4265d7b26a4dbeef14ce759c7d4dafea9deab24621c4d58fb3507573b4fd01ae98bb696078e7aa9932cb8d6b40e5ebea8abbd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
449547232e10578e2e844ff3992fe6d7

SHA1
021f8c5859de7eedc0d41c5400a58813c1567f89

SHA256
77dc3f77eacba2189da0f194dd646926925e3babcc4c6c8efe7609dbfbc34a51

SHA512
3c069c47cd381e5a93028fb4422861e5c3d33a41065cc9aca9e31d4905d7f16a69c75f6dfda6bfa3b5b427de0c73cbb94bfed57a165c32d591be6ab2b2274c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
0b47e8c120c06e5d72e2ac8f0fe5aaee

SHA1
fc77ea70d903edd76571f2226fc110fff9877429

SHA256
02f1e5321e348685c19d19b9b3c5c739ed74b215d9676aef49822e321f3fd4c5

SHA512
52424d6f71065eb0f8072f659d298602a64d9b6595253a5bad8e6a894a23dd939232bbe2b48930f9169604a5c2591db0fd5a392462673e567e30ebee691b1c2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
21ae05308945065302a46cb5e52b74ae

SHA1
561e193a7c56d2709cf95d305aa430c905027624

SHA256
52bc51f60d6552b97febb006be77eeca627841a8146c6652e4cd85c9a28cb538

SHA512
4cd37e912feca19582c4714120f71ff44f660216310d5b64607a7b0cd85aceb4d7a10b6b21230e34079a47de8845c2385e3b6642c771a35ac8147bc15a8fbf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log
Filesize
387B

MD5
575916473cf142862b265e2237d08f34

SHA1
e6221347f0eab56d6a68f36e3f14a0625e0410d5

SHA256
bae9e73bf6ff5b59c7dc273b591b349ec7cb6d42d98e4a2ed8fed10077e134a1

SHA512
c94e1975201c208fa1e3333b5bb9e03d3c980465e9ae9cceb848008a661b9cc63a518b26a86de190459ae8d2066ed00d2af6ceb7dc74bb8cd1eae9e489cd6825

Download Submit
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log
Filesize
584B

MD5
6d68bc6beb693c34235e9fdc381427d0

SHA1
4df32362e4c5a197239bfa78f0b4a0b0291f4e7a

SHA256
246018fc960986c869a1c15e8dc2412f5ed56718d63f26f7223d401e4407b972

SHA512
be9312cb2c6cf520922a70391b00ebf325b3776435917cff4f84639c790f50a144b9c5dc2b902923c7e3e4a1bf26a7e454fe5c80cecdc025d486c915b13c0600

Download Submit
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log
Filesize
1KB

MD5
d0cd260f721cab3515cc1125f92efb9a

SHA1
7974abd6345eb07330e071b817563d6329652d83

SHA256
0ec94d5e1f90afceab6240a71df3e1c167f5caf0ac4fa70968877a23bb0727d2

SHA512
5509e02a57a2989eb21c5143300f25b0dd57c2b0f9c0a85ce09cc06758c793de19654305f17bdf1dd02c4f25fdc6448ce48b65585ac52bac6a0663d9c27f8686

Download Submit
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log
Filesize
2KB

MD5
e070cf7ca2696e4f7caffbc532f7734f

SHA1
cedacd5fce07b666be28b2f7270c0f2ae584c209

SHA256
0a018e63ace52d90904c00c42cc220991959e72b860ef5aa0b5367dcdb2eff5d

SHA512
43f333b1349c0f52d354099531675e0d2d2b46cdffa3b29874cd34e5d556e7b628f58279f77b32a42dd97603a33c2dca1031af6dd08b474d5631a4f4ed7bb735

Download Submit
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log
Filesize
2KB

MD5
45430327d7acd073fd9e03f0235ae909

SHA1
4a860f8c7a7ddae5ff1010e385682db0b7680971

SHA256
5dcd76d947926304ed75e3eb7b6b308c89492c58e1b566c57580a465dc0708ac

SHA512
0892c8e1f572dba58b55a2029f964857b254c18ef0c01f73ffc263a756b2a4560586c1e6edd0c59e01c330aedf6ea045ff5c414f7ead34d441e5a546b6e20fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log
Filesize
3KB

MD5
02bdf4707f55a87f374673b2f1899327

SHA1
d28ded43cf54b1d4a1cb21ead8516de25cfb7fa5

SHA256
f074a3ac103b19acd6e9bb00d3406428f591cc4f85fe0c04a9fa51396bb86a6e

SHA512
de778ca3ee8909f3f7bf52cf46cccb2867850d3983614ef975a616b8838ede832874b666a5170ade7c5cdaff122f969058c2234d0e264d018ddd36612fc0e158

Download Submit
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log
Filesize
3KB

MD5
1deab569183de40baccc374e026445b9

SHA1
672346be578842de7b1338a4838f783e009b4615

SHA256
0ea0d2f4794521e96442d0b412a0eec59562d4edf61dd9ecbe5acacb2d7fb19a

SHA512
b81cf01cd40f7789abf82b1eb54ba875edf1c3f52f6b9fe0a5388924ab36a67450946398954d025e4a20d7d20a22b25af39b687b98aa09b6804cd27495f06152

Download Submit
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log
Filesize
3KB

MD5
a8bce873393d6ec4afa9eefd057f83fc

SHA1
df6a252f8b6803d6327c7c1cea8c714d3fedac9d

SHA256
f69e1f345e32d6a7845a1c267870db3005f7735162539335dca408eaddfcf539

SHA512
91218e17429bfc1a8ab6db2bfd97c34fedb3b077fd6c37daf54dfb00e495753edc76dfb320ab149a026371b4951fe7c946f71762e5c5a72cad57e1418df43ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log
Filesize
3KB

MD5
ddd775b7453ad2304368bbae34210340

SHA1
c748d8b24342cb00a38410e1957c74f2f3762e23

SHA256
58fa3dc8c4fe94c7a568d536f895990d395802cf0670b2ef7adb0db829c8db46

SHA512
dddc1b48aaf72ea526341ce0f4cbe8663ee99ae319a4dfadc6b4e8038f4aaa643423d581e60c7effaef10fd8e596480766d2ebe61e9dcd555297961622108e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log
Filesize
4KB

MD5
b3ce8a1ce546f8a30232c9c44cc12e20

SHA1
33b43b00105aec15da4db17bc0946c89ee8638f2

SHA256
dafc7b686567c427a4ca63ae32c4aa1ab5f0483a4a9222566df886cf1de5fb7e

SHA512
212c30376bfa3ac42f6b6c957174af4b4e01c774a37b7527d3c3e78c6530a23836698c22c1f834175d15e50758b764d2181277bcc80a0a69cc1b48b2d52227f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6E7C.tmp
Filesize
588KB

MD5
b7a6a99cbe6e762c0a61a8621ad41706

SHA1
92f45dd3ed3aaeaac8b488a84e160292ff86281e

SHA256
39fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d

SHA512
a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI78E4.tmp
Filesize
2.3MB

MD5
3bc82080d6356dae779eed5135fabf66

SHA1
022c84f9cc59ec45315d78979497cd061658aba3

SHA256
b076c9b888b130fb2fb5a74542c9a73322e78ed1f3f8476be7a8209a20e56f7b

SHA512
041cd3945a22dcec792f45abc7f95b9fb7e68254948f0bfeb49de6b3501a0e13525454aa222dc4b903b3c9bafd4e0ffc2e5a99bd140238e845d3fcb7c496afbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zerotier-tray-icon.ico
Filesize
361KB

MD5
1a6e3ea70c6612dfe3d2638ea694d523

SHA1
bf366c47cc6f33f16da614330013a21a639694ed

SHA256
da01e8a890873bc9b29a50f172552666cdd7b3cffe89d2bc788f2b24ee8dd022

SHA512
d5c9e3ef39baacbeb273c6a03abf803b7141d4b2893f3e00cdf315f2aee2756ad43bdd60df0df27ce105a2e891b234d75d85504d67877e27cdcd01ed81cf97fd

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
3.1MB

MD5
f3802bd8f99e5c9ca6c04a7addc2d0d8

SHA1
96c6b9feffe04c5fbefc48802ac0635f596c6a33

SHA256
6dc99f25c5f794d14323fa2ed8ec891ea2fd81c359d676052574585471984d06

SHA512
5eb55bf1c70c40124a4d4df4c20ece52d6ed060c874c01f1fe4b130056edead2dad3a3dd919a487f2dec03d7e5e684883770c48e53932ac7c44b8ab03dbb84ce

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 106483.crdownload
Filesize
13.3MB

MD5
1694ee8a09ebbe56390c44bae9307406

SHA1
0f1886e199b60d9abd87e786e49f8a0557031052

SHA256
7aa6c2e38366d1b553ce56e67f35cfa687e4ba0f7c3eaa404f5ba2449af9fbe5

SHA512
8417fa25bd4769e747e539804c92223ae88c1879a8c9f3aad5e3a2f990db47d1cf319f3777cffc259fe6bff0312664f8621434419fc427d67aafdc56aa834c18

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 180415.crdownload
Filesize
10.5MB

MD5
316fc65318bd86fd3b71593501825de6

SHA1
6ae35fd08375d0fda71816125a7d18b4678821c6

SHA256
4f844eb5632cb7484499ba1b237d91fb2fd4e97176864ede6e74ad33c599c135

SHA512
42d7621f41ae60b7f1935dfe2c12317e8e103adf804b80be8d01223d070707cd633fe900aafd7ec0316d485229e95c1d45a501a2ab95609939f29c8e367438ee

Download Submit
C:\Windows\Installer\MSI8664.tmp
Filesize
400KB

MD5
989e7044be092ec5dffeab701aca2b74

SHA1
ad9d61155222ba270e3efdacf1333187cffd648f

SHA256
fd337377af9e152ca1b9123fb7609f6687d1a0beb78d37422639a31bfa712340

SHA512
f51bf77be853111c3b1318467209cc2ee3e840bf42b7fbe56fad2e012eea7333d512c9650009919ca1aa272a58f5efddbb66f120c523edb8a9224c3a783869d6

Download Submit
C:\Windows\Installer\MSI8675.tmp
Filesize
833KB

MD5
926f97e932dd65679b78439ff0943ca3

SHA1
c780a762ce0ca865ed515e14e8908307ed7dad22

SHA256
12993932e93d9b31482836832049fd3a8f64bb4e00f2a480eef936a9de29be38

SHA512
9a0fdae0ba22554c8ffd024d6b7111df3aae93ac16f9ca32cc0839bf62fc0e1bd5e04f72bc371f04cfa1f4701c15345919abf12521328e66e760f83869cce7f1

Download Submit
C:\Windows\Installer\MSI86C4.tmp
Filesize
431KB

MD5
3525dbeca49667f19b8ea6495909f441

SHA1
63b4dd0e082bbf032b9a6b5f4390091a62870502

SHA256
725f2c5c008a39a8ceacdbfb5539b66535b0d4d886bc9d95aa54917d83cbb0e7

SHA512
3b4b960fa95b546d79c081208d8d6ae240d421411cff85585862fd4d89649737d296687e568fac56229599512abe3a18430502dcf2fbb9373ccc92824a93666d

Download Submit
C:\Windows\Installer\e58ef4d.msi
Filesize
13.7MB

MD5
909db4061c32f798e94d746717782444

SHA1
10f5ffff17d2dd4476686a941a7bcc5f9b83b1b8

SHA256
6ee98db32852a2ff31a969d918bb7c730950bb15f24ea1baf996697cebc8b9fa

SHA512
44e7f97b27aef2e4cb62a6a0ebab5033b99e1ec940f231eda416f3b68d83df81d10950a8ced2ca528024adecd1dea7e1d4427e78b111edbc0124d7ffd6c1232d

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.bak
Filesize
1KB

MD5
5919a4242a1fb169c68317d18adf2746

SHA1
4bc5e0bbba80f43fc5bda2d45eacab772fe8a302

SHA256
7e5adb2f62eb88481057a6e469ed552b15beea681c3cc4ab37c96b458d1969ba

SHA512
e2b7cdd9831e3e07887b9fce9b940845158be0c0e632705f318d12d21d785af7ec6e7c45cbd5675a024188bb7fcbb0adc28f317767aadb7ae4fb3d9f0c29ce48

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini
Filesize
474B

MD5
af32645d7d08e465889b33eeeb5d2143

SHA1
39207de571480be4607af29dce2f66cdc6783946

SHA256
19617643f90f5fe60d4fbd9a8bfaa0f1763105a6a8f44997a4e703d269581647

SHA512
a3a152e3a7431501d08db93d43a385c8d4ccdb748bf01d9f0d359170c3a51686fafb910e9c6aec82885bcee30aa8e1232afa9ab3558bdb0f209fb075eeb00cfa

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini
Filesize
474B

MD5
ade722a4487730c4a812aed9306d4a45

SHA1
903db592b3a64c6cdc9a12b8d17cb4b06e0467ed

SHA256
a6befb399f691e7cd07e2ffbf1e7573f4e0ca61a0d0e591b0c3af7a98c91e4e1

SHA512
06d1bf2fa20143d52cdc0dae1932f0c99ed8e84b19896979481482ee59ab039142e3f33eeccf53202320d2543b09e1bda56f67fb7f381298a62a40a084042cd8

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini
Filesize
474B

MD5
d9e8188fff0a4d27bc91f128db8f9762

SHA1
5e57392a6eb4e8e867eb1952e797280e39690437

SHA256
39d29f5f710e53ad71f81414a5cda3a3e68d1e3634b8efbfe8bc2aa1f472f292

SHA512
4e255da2118c7e22784a9f431b822405faddfe99d8c96778944068cca668f9af4d20e0b20189d66af36761948958c6cfac66d2cfba25782218fe51c7d8f238be

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini
Filesize
474B

MD5
8cffeec178a536a92777e0ca7c5babfe

SHA1
8f08c2a0ee50f611af322a7daba8766b78896a66

SHA256
f45bd458ecdf3c847e5b7a858becc7a5916cbbcd3cc7d5a355ea29813643aecc

SHA512
0ae8230497357ddf61de95cea0e3d2397838892f4558c00df98ddee16ce0775355c305d38be4193c21810c709913c2e82fd5669b27887c330fb21c928f0011b2

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini
Filesize
491B

MD5
b60034a909f1c768b49f8acaf9f0bfef

SHA1
e429bc7f07a37591bf78fd32b60f07cbe695cae5

SHA256
5c87efc1ff7050daa57aa7ed9214f341b186bbd71c39b742a0cf3495a18f917f

SHA512
d1d4fc416a131e528593c20003603237c15eca31f1f0ca52807bc17d0f8166ce66ac5b4816f7f2e132c496cbcfb7f6d93c045e094c2d18d900ed181a5e21ebf6

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.bak
Filesize
499B

MD5
892bb8ccae54a334d22fe9690a2642a5

SHA1
04088c2f0d8d1e6be1a09d586fed8cb8648e8452

SHA256
b5db1443d02f02f17e6e47a0d0dd7832002b42bbaa1491db67b01965502c6404

SHA512
133c2d0e9226204a51ea00643b6b9e6c16871d625d1aa7a052db32691936cb819d9248434832190ee88bf8bc4efb14982f681b73666d53cbdffa1432784fead9

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.updating
Filesize
7B

MD5
0f81d52e06caaa4860887488d18271c7

SHA1
13a1891af75c642306a6b695377d16e4a91f0e1b

SHA256
27eb5e51506c911f6fc4bb345c0d9db6f60415fceab7c18e1e9b862637415777

SHA512
7ccef1661d9bae2a1a219de1d53fea0e2441354e4e4c3e111f75bf926fb12c5b0e6e7824200cf65dfa5686216b9e67436038bdc69c7ea7621f3c67b481510cd7

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log
Filesize
605B

MD5
acbd97eee240bf37c07a41de89ad9d33

SHA1
496d452cfd8db4dab0ef01aec4baf644e5cd561a

SHA256
9b2970666542096da24af2d8082369e5401ac758568e6f83c22f01734cfb070c

SHA512
2dab084239e21cfce91dc2f655eebf2a9f80e5a3895b060a4f63b845a8baedfa6445529cc086833701ea2210d6230029c611e052e049e791e79cda30efeb950d

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log
Filesize
966B

MD5
4aa8e3e461af87e5d1e2e13638ac6b76

SHA1
85c2ff791273c825e7f7250494560325db73f567

SHA256
0e95110007b34d4e00c1498924601bf8be7276ee55084adce402cb6facf186e0

SHA512
71cf81c61af31199bc70ce1407cd916338db69dd9703dbe77da241936226b33651a9f3427e93f321460190fa74e99096e67cfb6185b006a1f3516cee1847493a

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log
Filesize
1KB

MD5
3eef04de70851d1f6288426073b5ea67

SHA1
1c5d940970a8485a43f422aae41129de6770e390

SHA256
77f3d5b3427caa6c2bb46fc07a6ceacf6bc480891ba7fa176db6dc5497572f22

SHA512
ca957fbbdf7d3b9a1747337a109cfe659c5156fa59d3e0e0c76db23a08b127c4001b3b6dfd76bdd9670fa6e3646baba3cc6a0c848b9ee7c7252e8c9d1aabd315

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log
Filesize
1KB

MD5
8a7c359235f722d31cc5a9f17a328793

SHA1
be0c2a3dd2b0ef0f0362b6e6d943de51bd588bec

SHA256
fd8dd4caa4a14db6cb85faf715a1000b0618e55f67f99b1a2be0a1be9224c8a3

SHA512
8570759fae40a27b3d404ae927db25e5404cdcde0a6213a0efe38c6b4b8e323dd8d6aff6ef77942e4aebb2cd062ba3a0051d0ec8f26c0b7bdb0a2c982a5e39e5

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log
Filesize
2KB

MD5
da31a1c8398502c8159b8ce4312f05d1

SHA1
dfe33a76f14a6cc6dddd4913b48c30e92daf5618

SHA256
2070845c8269ea715afbbec1a4da0194c3fcc7fb00503776dca835f588d93501

SHA512
9e3bacb57e4786edb64fc1e469ffec24fd8d0604cabd79589de3c99fe0c05f959c12d1238a869a85fa2c53341431fc976becadfd7c3d8cbcd1dd713bb83e444a

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log
Filesize
3KB

MD5
49896e9c1e02c733989bd6fb70413c75

SHA1
d1a0a7d528265149d363f1a91f09a34cb997568d

SHA256
a6f766d9af5205cbee823bf9add8d03bdff8f13ad1d604dcac25bc18c901b149

SHA512
4b97046f4b592954a8c74ae291932c51478ad6e81e546704475376b50d8d6e0b20a785e3f9a6d8f73acf3e509262bdc9f75572f90c8bb3b2b5530331b59cac27

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log
Filesize
3KB

MD5
83f4d83cd50698660307cde8d02ffb14

SHA1
c267eb4e707c6c5d78f61defce5be2c64f9e3c6a

SHA256
b57e40547687db6175ef6824ea82e8a021cc93cc5f28d47a9bc17182c42b964a

SHA512
f055e463359a7ebc44e003b1a45725c9bc654bb4bfe149c601eb83ccbb085b37bb83492ec952fd55f6070bbb352db732ec32e3fe76e8eb21abbbf125f49a4a29

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log
Filesize
3KB

MD5
f03f2ac20b08e8be929df3927193b071

SHA1
187af37130fe6e7b2d1703a09d7eb22b71f6d873

SHA256
5a85dbe732dd07fcb094d8ce9db610e8fef983022d2323799294a226f2902b30

SHA512
81be90751a8117fd14fc97c7c958bcbc2a9e0c5e13723fa90e25c0235c0c75f53ae00eeaf30d71320dcdb6613f1c2d5120b7eaa0820a3e3253d8d481285c8609

Download Submit
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log
Filesize
4KB

MD5
6b1ea196bc987cb881ced0fc7b4636aa

SHA1
51a5034d5850bf1e8d430d3a225627384f0ee9de

SHA256
f6806750041ec9de32f2d927215b553dac2db78f53734b3d8ec83bf029763095

SHA512
edac2b3e4724123eab877a22dba4fd52dccac03f5c417b3e3486e00c5db98c7ed661b6ae5ded8967a4bc2eff56d86d4965c572973fbf9d2b509200f3dc99011f

Download Submit
C:\Windows\Temp\HamachiSetup.log
Filesize
1KB

MD5
1d536ec4b7d5b2714951736f457e4441

SHA1
01c44f121233ee20d33d5ed35df212e80d23a282

SHA256
9b1aeaf3f04a4805cb54f090279343a9db21a837211d09939b37cdfe81940f7f

SHA512
4a388b748f0ff9c36d8e425d49aa856f9a2f8879fe817d1816587bdb0c97e42f5ed245780c25f21838d455b6dbe33515cd64b6dde722e0c0fcd0cdc06f15872d

Download Submit
\??\c:\PROGRA~2\LOGMEI~1\x64\Hamdrv.sys
Filesize
44KB

MD5
7f79205b4efa98f0767309479c8c01c6

SHA1
9d546dda7536a85a3f4228e065967be1648ad901

SHA256
4b576903a83f33a8cf31d3887144a3d51c56d1187115c83ac99c0e9f6b4bf128

SHA512
418ac89f3c5996de50c846693995145e314d0cd7edee59f0cdc212720d84be1351827c7ab02e870d1940288f5c4838d39c77fbc9847b69ab5fce5d74400c19ca

Download Submit
\??\c:\program files (x86)\logmein hamachi\x64\hamdrv.cat
Filesize
10KB

MD5
f49c69fcca067884f38e9cab20ba8920

SHA1
bbe2113cfeb8b9a2234d97849c05c4a72b368a7d

SHA256
e436ceef0126e703fe48bd669e3748e468b6f8027a8b6c2ae779f2911e65331c

SHA512
e233dc261ea650d0cc01834591ba5c7e113daa23da7ada913c589ddff13c7d5b946da5f3f649e81de9afa664d0c4bf5b6fc921e359c252dee5132c8f584c60d3

Download Submit
\??\c:\program files (x86)\logmein hamachi\x64\hamdrv.inf
Filesize
6KB

MD5
da79247b2ba817d655c2db44bdebff1c

SHA1
fb62be8194096675dace18cd1217217ec2f85777

SHA256
35e3427711eb7e0645d3f4ffbc3dd73b16e96ef1dc4c210db1f67229283f414a

SHA512
e124e5bce81d09713b959a54da96ca7679b9880e69952faef360c7f0311a6d85a97d377281edbae22e61f7e3204847fb4eafd64a15aa97079bf9cda2cf1f0328

Download Submit
\??\pipe\LOCAL\crashpad_4840_IWZADZYEPBGWEEMH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1868-185-0x000000001BD20000-0x000000001BDD2000-memory.dmp

Filesize
712KB

Download
memory/1868-1781-0x000000001C650000-0x000000001CB78000-memory.dmp

Filesize
5.2MB

Download
memory/1868-184-0x000000001BC10000-0x000000001BC60000-memory.dmp

Filesize
320KB

Download
memory/1876-177-0x0000000000440000-0x0000000000764000-memory.dmp

Filesize
3.1MB

Download
memory/3148-264-0x0000021A7C550000-0x0000021A7C551000-memory.dmp

Filesize
4KB

Download
memory/3148-268-0x0000021A7C550000-0x0000021A7C551000-memory.dmp

Filesize
4KB

Download
memory/3148-269-0x0000021A7C550000-0x0000021A7C551000-memory.dmp

Filesize
4KB

Download
memory/3148-258-0x0000021A7C550000-0x0000021A7C551000-memory.dmp

Filesize
4KB

Download
memory/3148-259-0x0000021A7C550000-0x0000021A7C551000-memory.dmp

Filesize
4KB

Download
memory/3148-257-0x0000021A7C550000-0x0000021A7C551000-memory.dmp

Filesize
4KB

Download
memory/3148-267-0x0000021A7C550000-0x0000021A7C551000-memory.dmp

Filesize
4KB

Download
memory/3148-266-0x0000021A7C550000-0x0000021A7C551000-memory.dmp

Filesize
4KB

Download
memory/3148-265-0x0000021A7C550000-0x0000021A7C551000-memory.dmp

Filesize
4KB

Download
memory/3148-263-0x0000021A7C550000-0x0000021A7C551000-memory.dmp

Filesize
4KB

Download