Analysis
-
max time kernel
443s -
max time network
445s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 11:30
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://justbeamit.com/yem57
Resource
win10v2004-20240611-en
General
-
Target
https://justbeamit.com/yem57
Malware Config
Extracted
quasar
1.4.1
Office04
10.240.115.45:4782
2cc201c7-b02e-4a34-8806-aa9a8d33ae2d
-
encryption_key
64024FEFC383421D2550E88D4DBE252B6BA53116
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1876-177-0x0000000000440000-0x0000000000764000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Drops file in Drivers directory 4 IoCs
Processes:
hamachi-2.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\Hamdrv.sys hamachi-2.exe File opened for modification C:\Windows\System32\drivers\Hamdrv.sys DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\SETFCD9.tmp hamachi-2.exe File created C:\Windows\system32\DRIVERS\SETFCD9.tmp hamachi-2.exe -
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1792 netsh.exe 5484 netsh.exe 2064 netsh.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 19 IoCs
Processes:
Client.exehamachi-2.exeLMIGuardianSvc.exehamachi-2.exeLMIGuardianSvc.exeLMIGuardianSvc.exehamachi-2.exeLMIGuardianSvc.exeLMIGuardianSvc.exehamachi-2.exeLMIGuardianSvc.exehamachi-2-ui.exeLMIGuardianSvc.exezerotier-one_x64.exeMSI86C4.tmpzerotier_desktop_ui.exezerotier_desktop_ui.exezerotier_desktop_ui.exezerotier_desktop_ui.exepid process 1868 Client.exe 6004 hamachi-2.exe 6068 LMIGuardianSvc.exe 5868 hamachi-2.exe 5772 LMIGuardianSvc.exe 5416 LMIGuardianSvc.exe 6132 hamachi-2.exe 6072 LMIGuardianSvc.exe 6048 LMIGuardianSvc.exe 5516 hamachi-2.exe 5416 LMIGuardianSvc.exe 5532 hamachi-2-ui.exe 4852 LMIGuardianSvc.exe 5308 zerotier-one_x64.exe 5964 MSI86C4.tmp 2236 zerotier_desktop_ui.exe 5136 zerotier_desktop_ui.exe 5556 zerotier_desktop_ui.exe 5988 zerotier_desktop_ui.exe -
Loads dropped DLL 50 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeLMIGuardianSvc.exeMsiExec.exeMsiExec.exeMsiExec.exepid process 2956 MsiExec.exe 2956 MsiExec.exe 2956 MsiExec.exe 2956 MsiExec.exe 2956 MsiExec.exe 5180 MsiExec.exe 5180 MsiExec.exe 5180 MsiExec.exe 5180 MsiExec.exe 5180 MsiExec.exe 5180 MsiExec.exe 5716 MsiExec.exe 5716 MsiExec.exe 5716 MsiExec.exe 6068 LMIGuardianSvc.exe 5772 LMIGuardianSvc.exe 5716 MsiExec.exe 5416 LMIGuardianSvc.exe 5716 MsiExec.exe 6072 LMIGuardianSvc.exe 6048 LMIGuardianSvc.exe 5716 MsiExec.exe 5716 MsiExec.exe 5416 LMIGuardianSvc.exe 2956 MsiExec.exe 4852 LMIGuardianSvc.exe 5224 MsiExec.exe 5224 MsiExec.exe 5224 MsiExec.exe 5224 MsiExec.exe 5224 MsiExec.exe 5224 MsiExec.exe 5224 MsiExec.exe 5224 MsiExec.exe 5224 MsiExec.exe 5680 MsiExec.exe 5680 MsiExec.exe 5680 MsiExec.exe 5680 MsiExec.exe 5680 MsiExec.exe 5680 MsiExec.exe 5680 MsiExec.exe 5680 MsiExec.exe 5680 MsiExec.exe 5680 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe -
Modifies file permissions 1 TTPs 12 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 4352 icacls.exe 5376 icacls.exe 2768 icacls.exe 4736 icacls.exe 2556 icacls.exe 4320 icacls.exe 1932 icacls.exe 5388 icacls.exe 4084 icacls.exe 2292 icacls.exe 1844 icacls.exe 908 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogMeIn Hamachi Ui = "\"C:\\Program Files (x86)\\LogMeIn Hamachi\\hamachi-2-ui.exe\" --auto-start" msiexec.exe -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 99 2884 msiexec.exe 99 2884 msiexec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in System32 directory 16 IoCs
Processes:
DrvInst.exehamachi-2.exedescription ioc process File created C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB5.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855} DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\hamdrv.PNF hamachi-2.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\hamdrv.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\Hamdrv.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\hamdrv.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hamdrv.inf_amd64_c59072ec40c0c372\hamdrv.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\Hamdrv.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\SETFDB6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{570d6541-c771-454e-815b-4d1f7b2ae855}\hamdrv.inf DrvInst.exe -
Drops file in Program Files directory 20 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process File created C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianDll.dll msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianEvt.Dll msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi.sys msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamdrv.sys msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamdrv.cat msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianEvt.Dll msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\ReleaseNotes.rtf msiexec.exe File created C:\Program Files (x86)\ZeroTier\One\regid.2010-01.com.zerotier_ZeroTierOne.swidtag MsiExec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi.cat msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamdrv.inf msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianDll.dll msiexec.exe File created C:\Program Files (x86)\ZeroTier\One\zerotier-cli.bat MsiExec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi.inf msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe msiexec.exe File created C:\Program Files (x86)\LogMeIn Hamachi\hamachi.lng msiexec.exe File created C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe msiexec.exe File created C:\Program Files (x86)\ZeroTier\One\zerotier-idtool.bat MsiExec.exe -
Drops file in Windows directory 64 IoCs
Processes:
hamachi-2.exemsiexec.exeDrvInst.exeDrvInst.exehamachi-2.exesvchost.exedescription ioc process File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id.bak hamachi-2.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.bak hamachi-2.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-client.key hamachi-2.exe File opened for modification C:\Windows\Installer\MSI79C6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7B41.tmp msiexec.exe File opened for modification C:\Windows\Installer\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}\ZeroTierIcon.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIF0D4.tmp msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.log hamachi-2.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.bak hamachi-2.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id hamachi-2.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIF7F0.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.bak hamachi-2.exe File opened for modification C:\Windows\Installer\MSIF810.tmp msiexec.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id.updating hamachi-2.exe File created C:\Windows\Installer\e58ef50.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI79A5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI79B6.tmp msiexec.exe File created C:\Windows\Installer\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}\ZeroTierIcon.exe msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log hamachi-2.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg hamachi-2.exe File opened for modification C:\Windows\Installer\MSI7C5E.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C00E2143-38F2-49BA-AB8A-03F22F02F0A4} msiexec.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id hamachi-2.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg hamachi-2.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.updating hamachi-2.exe File opened for modification C:\Windows\Installer\MSI7AA4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEFF9.tmp msiexec.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini hamachi-2.exe File opened for modification C:\Windows\Installer\e58ef50.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8664.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8675.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58ef4d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF104.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF164.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI20F7.tmp msiexec.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-server.key hamachi-2.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.id.bak hamachi-2.exe File opened for modification C:\Windows\Installer\MSI2069.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4} msiexec.exe File opened for modification C:\Windows\Installer\MSI7E35.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7C1E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF134.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF379.tmp msiexec.exe File created C:\Windows\Installer\{C00E2143-38F2-49BA-AB8A-03F22F02F0A4}\UninstallIcon.ico msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI2A2F.tmp msiexec.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.updating hamachi-2.exe File opened for modification C:\Windows\Installer\MSI7946.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7D78.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7DD7.tmp msiexec.exe File created C:\Windows\Installer\e58ef52.msi msiexec.exe File opened for modification C:\Windows\Installer\{C00E2143-38F2-49BA-AB8A-03F22F02F0A4}\UninstallIcon.ico msiexec.exe File opened for modification C:\Windows\Installer\MSI2A40.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI79E8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7BEE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI86C4.tmp msiexec.exe File created C:\Windows\Installer\e58ef4f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI79D7.tmp msiexec.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 5452 sc.exe 6140 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 39 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5920 5532 WerFault.exe hamachi-2-ui.exe -
Checks SCSI registry key(s) 3 TTPs 54 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
DrvInst.exesvchost.exevssvc.exehamachi-2.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a1a8d825d9cc14480000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a1a8d8250000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a1a8d825000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da1a8d825000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a1a8d82500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service hamachi-2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters hamachi-2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 hamachi-2.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
MsiExec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\hamachi-2-ui.exe = "11000" MsiExec.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
hamachi-2.exeDrvInst.exeMsiExec.exemsiexec.exehamachi-2.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}\C:\Program Files (x86)\ZeroTier\One\zerotier-idtool.bat = "*" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs hamachi-2.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}\C:\Program Files (x86)\ZeroTier\One\zerotier-cli.bat = "*" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\TXT Updater Config\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4} MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates hamachi-2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer\XML Config\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4} MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Caphyon\Advanced Installer MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs hamachi-2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe -
Modifies registry class 64 IoCs
Processes:
LMIGuardianSvc.exemsiexec.exemsedge.exetaskmgr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageDE = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\Engine = "Complete" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageNL = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\PackageCode = "BD8AE51CFD1484C47840D7F4BAD7E9BB" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E80E241A66716B4F9A16046F5141A90 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\SourceList\PackageName = "ZeroTier One.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\LocalServer32\ = "\"C:\\Program Files (x86)\\LogMeIn Hamachi\\x64\\LMIGuardianSvc.exe\"" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\ = "LMIGuardianSvc 1.0 Type Library" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageFR = "\x06Ui" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2080292272-204036150-2159171770-1000\{D255327A-6E11-4A6F-AAA8-97C53EDE654D} msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A88085CEF0E45DB40B2BDF188C30EE4C\zttap300_2 = "ZeroTierOne" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\LocalServer32 LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ProxyStubClsid32 LMIGuardianSvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\ProductIcon = "C:\\Windows\\Installer\\{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4}\\ZeroTierIcon.exe" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings taskmgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{67E4A0D8-8675-4FBB-BC62-F10EC894327E}\LocalService = "LMIGuardianSvc" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc.1 LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\TypeLib\ = "{FAC58A4E-76CC-418B-8829-6DE882474472}" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc\CurVer LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\ProductName = "Hamachi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\PackageCode = "6239770192D4C6D42AEA541CF631E529" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{67E4A0D8-8675-4FBB-BC62-F10EC894327E}\ = "LMIGuardianSvc" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc\CLSID LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\AppID = "{67E4A0D8-8675-4FBB-BC62-F10EC894327E}" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LMIGuardianSvc.EXE\AppID = "{67E4A0D8-8675-4FBB-BC62-F10EC894327E}" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ProxyStubClsid32 LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A88085CEF0E45DB40B2BDF188C30EE4C\zttap300 = "ZeroTierOne" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc\ = "GuardianSvc Class" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\TypeLib LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageHU = "\x06Ui" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\0 LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\LogMeIn Hamachi\\x64" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{67E4A0D8-8675-4FBB-BC62-F10EC894327E}\AccessPermission = 010014807400000084000000140000003000000002001c000100000011001400010000000101000000000010001000000200440003000000000014000b000000010100000000000504000000000014000b00000001010000000000050b000000000014000b0000000101000000000005120000000102000000000005200000002002000001020000000000052000000020020000 LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\TypeLib\Version = "1.0" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageTR = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E80E241A66716B4F9A16046F5141A90\3412E00C2F83AB94BAA8302FF2200F4A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageHE = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageRU = "\x06Ui" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\Version = "33751040" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LMIGuardianSvc.GuardianSvc.1\ = "GuardianSvc Class" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4258A22-CF85-489D-83AE-49FCD0DFAD29}\VersionIndependentProgID LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\0\win64\ = "C:\\Program Files (x86)\\LogMeIn Hamachi\\x64\\LMIGuardianSvc.exe\\1" LMIGuardianSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAC58A4E-76CC-418B-8829-6DE882474472}\1.0\HELPDIR LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\ = "IGuardianSvc" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4615B7A3-8EF2-40C0-83F0-63BCD479C791}\TypeLib\ = "{FAC58A4E-76CC-418B-8829-6DE882474472}" LMIGuardianSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguageNO = "\x06Ui" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguagePTBR = "\x06Ui" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3412E00C2F83AB94BAA8302FF2200F4A\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A88085CEF0E45DB40B2BDF188C30EE4C\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3412E00C2F83AB94BAA8302FF2200F4A\LanguagePL = "\x06Ui" msiexec.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 180415.crdownload:SmartScreen msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 408 schtasks.exe 3964 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exetaskmgr.exemsedge.exepid process 4924 msedge.exe 4924 msedge.exe 4840 msedge.exe 4840 msedge.exe 444 identity_helper.exe 444 identity_helper.exe 2240 msedge.exe 2240 msedge.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 5900 msedge.exe 5900 msedge.exe 5900 msedge.exe 5900 msedge.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exeClient.exepid process 3148 taskmgr.exe 1868 Client.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs
Processes:
msedge.exepid process 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Client-built - Copy.exeClient.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1876 Client-built - Copy.exe Token: SeDebugPrivilege 1868 Client.exe Token: SeShutdownPrivilege 2884 msiexec.exe Token: SeIncreaseQuotaPrivilege 2884 msiexec.exe Token: SeSecurityPrivilege 3096 msiexec.exe Token: SeCreateTokenPrivilege 2884 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2884 msiexec.exe Token: SeLockMemoryPrivilege 2884 msiexec.exe Token: SeIncreaseQuotaPrivilege 2884 msiexec.exe Token: SeMachineAccountPrivilege 2884 msiexec.exe Token: SeTcbPrivilege 2884 msiexec.exe Token: SeSecurityPrivilege 2884 msiexec.exe Token: SeTakeOwnershipPrivilege 2884 msiexec.exe Token: SeLoadDriverPrivilege 2884 msiexec.exe Token: SeSystemProfilePrivilege 2884 msiexec.exe Token: SeSystemtimePrivilege 2884 msiexec.exe Token: SeProfSingleProcessPrivilege 2884 msiexec.exe Token: SeIncBasePriorityPrivilege 2884 msiexec.exe Token: SeCreatePagefilePrivilege 2884 msiexec.exe Token: SeCreatePermanentPrivilege 2884 msiexec.exe Token: SeBackupPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeShutdownPrivilege 2884 msiexec.exe Token: SeDebugPrivilege 2884 msiexec.exe Token: SeAuditPrivilege 2884 msiexec.exe Token: SeSystemEnvironmentPrivilege 2884 msiexec.exe Token: SeChangeNotifyPrivilege 2884 msiexec.exe Token: SeRemoteShutdownPrivilege 2884 msiexec.exe Token: SeUndockPrivilege 2884 msiexec.exe Token: SeSyncAgentPrivilege 2884 msiexec.exe Token: SeEnableDelegationPrivilege 2884 msiexec.exe Token: SeManageVolumePrivilege 2884 msiexec.exe Token: SeImpersonatePrivilege 2884 msiexec.exe Token: SeCreateGlobalPrivilege 2884 msiexec.exe Token: SeCreateTokenPrivilege 2884 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2884 msiexec.exe Token: SeLockMemoryPrivilege 2884 msiexec.exe Token: SeIncreaseQuotaPrivilege 2884 msiexec.exe Token: SeMachineAccountPrivilege 2884 msiexec.exe Token: SeTcbPrivilege 2884 msiexec.exe Token: SeSecurityPrivilege 2884 msiexec.exe Token: SeTakeOwnershipPrivilege 2884 msiexec.exe Token: SeLoadDriverPrivilege 2884 msiexec.exe Token: SeSystemProfilePrivilege 2884 msiexec.exe Token: SeSystemtimePrivilege 2884 msiexec.exe Token: SeProfSingleProcessPrivilege 2884 msiexec.exe Token: SeIncBasePriorityPrivilege 2884 msiexec.exe Token: SeCreatePagefilePrivilege 2884 msiexec.exe Token: SeCreatePermanentPrivilege 2884 msiexec.exe Token: SeBackupPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeShutdownPrivilege 2884 msiexec.exe Token: SeDebugPrivilege 2884 msiexec.exe Token: SeAuditPrivilege 2884 msiexec.exe Token: SeSystemEnvironmentPrivilege 2884 msiexec.exe Token: SeChangeNotifyPrivilege 2884 msiexec.exe Token: SeRemoteShutdownPrivilege 2884 msiexec.exe Token: SeUndockPrivilege 2884 msiexec.exe Token: SeSyncAgentPrivilege 2884 msiexec.exe Token: SeEnableDelegationPrivilege 2884 msiexec.exe Token: SeManageVolumePrivilege 2884 msiexec.exe Token: SeImpersonatePrivilege 2884 msiexec.exe Token: SeCreateGlobalPrivilege 2884 msiexec.exe Token: SeCreateTokenPrivilege 2884 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 4840 msedge.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
Client.exehamachi-2-ui.exezerotier_desktop_ui.exezerotier_desktop_ui.exepid process 1868 Client.exe 5532 hamachi-2-ui.exe 5532 hamachi-2-ui.exe 5532 hamachi-2-ui.exe 5532 hamachi-2-ui.exe 5556 zerotier_desktop_ui.exe 5988 zerotier_desktop_ui.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4840 wrote to memory of 2256 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2256 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 2900 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 4924 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 4924 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe PID 4840 wrote to memory of 1224 4840 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justbeamit.com/yem571⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd15c846f8,0x7ffd15c84708,0x7ffd15c847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6088 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6708 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6944 /prefetch:82⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:82⤵
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\ZeroTier One.msi"2⤵
- Enumerates connected drives
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1772 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14690976595381041056,1926050994649906766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\New folder\Client-built - Copy.exe"C:\Users\Admin\Desktop\New folder\Client-built - Copy.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\New folder\hamachi.msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E4E0E7C115675A375F9725AF39CA839B C2⤵
- Loads dropped DLL
-
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe"C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --ipc-timeout 303⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe" /escort 5532 /CUSTOM Hamachi4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 26284⤵
- Program crash
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EA63BAAB7F2B4B25762B7DD0C79879BD2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1CAED7153F369A9B5A1076DA2A9ED6AF E Global\MSI00002⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" --add-tap-at-install Hamachi3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 6004 /CUSTOM Hamachi4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\netsh.exenetsh interface ipv4 set subinterface "Ethernet 2" mtu=1404 store=persistent4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh.exe interface set interface name="Ethernet 2" newname="Hamachi"4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh interface tcp set global autotuninglevel=normal4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exenetsh interface tcp set global rss=enabled4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" --config Hamachi 25.0.0.13⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 5868 /CUSTOM Hamachi4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\sc.exesc config Hamachi2Svc depend= winmgmt3⤵
- Launches sc.exe
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" -Service3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\sc.exesc config Hamachi2Svc depend= winmgmt3⤵
- Launches sc.exe
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7B55FB475A5BFE3782C7AA09C2FCBA05 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CA9A2D5394F421146AFC57F2D75E0C092⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FE4AFC8453084C0D5D8F3EF729C3E316 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\Installer\MSI86C4.tmp"C:\Windows\Installer\MSI86C4.tmp" /DontWait "C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\jatns2.exe"C:\Windows\System32\jatns2.exe"1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "c:\program files (x86)\logmein hamachi\x64\hamdrv.inf" "9" "42b53aaff" "0000000000000138" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\logmein hamachi\x64"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:db04a16c4ff220c2:Hamachi.ndi:15.28.40.464:hamachi," "42b53aaff" "0000000000000170"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" -s --get-config1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 6132 /CUSTOM Hamachi2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exe" -s1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe"C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exe" /escort 5516 /CUSTOM Hamachi2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv4 set subinterface "Hamachi" mtu=1404 store=persistent2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv4 set subinterface "Hamachi" mtu=1404 store=persistent2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 add address interface="10" address=2620:9b::1920:a7c0 type=unicast store=persistent2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 delete route ::/0 "10"2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 add route interface="10" prefix=2620:9b::/96 store=persistent2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh interface ipv6 add route ::/0 "10" 2620:9b::1900:1 metric=9000 publish=yes2⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5532 -ip 55321⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵
-
C:\ProgramData\ZeroTier\One\zerotier-one_x64.exeC:\ProgramData\ZeroTier\One\zerotier-one_x64.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\netsh.exeC:\Windows\System32\netsh.exe advfirewall firewall delete rule name="ZeroTier One" program="C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\System32\netsh.exeC:\Windows\System32\netsh.exe advfirewall firewall add rule name="ZeroTier One" dir=in action=allow program="C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe" enable=yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\System32\netsh.exeC:\Windows\System32\netsh.exe advfirewall firewall add rule name="ZeroTier One" dir=out action=allow program="C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe" enable=yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\authtoken.secret" /inheritance:d /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\authtoken.secret" /remove *S-1-5-32-545 /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\authtoken.secret" /remove:g Everyone /t /c /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\metricstoken.secret" /inheritance:d /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\metricstoken.secret" /remove *S-1-5-32-545 /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\metricstoken.secret" /remove:g Everyone /t /c /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\identity.secret" /inheritance:d /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\identity.secret" /remove *S-1-5-32-545 /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\identity.secret" /remove:g Everyone /t /c /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\controller.d" /inheritance:d /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\controller.d" /remove *S-1-5-32-545 /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\icacls.exeC:\Windows\System32\icacls.exe "C:\ProgramData\ZeroTier\One\controller.d" /remove:g Everyone /t /c /Q2⤵
- Modifies file permissions
-
C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe"C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe"C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe" about 1.14.02⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe"C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe"C:\Program Files (x86)\ZeroTier\One\zerotier_desktop_ui.exe" join_prompt2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Netsh Helper DLL
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Netsh Helper DLL
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e58ef4e.rbsFilesize
23KB
MD55956ae89f43469262501346b95349600
SHA17e38e42e87da922158b0babcc2eedb3a86e18ae0
SHA2567649cf6e58a7b1e98ba8b4c303daa3e661fe4d9bf0f0c053f92b2e1db7931676
SHA51253531a926e3bf10558f4d1fb444ea2d95c362ec98702166aeda08e59886ad90440406f8472e3fd8a0cadc3b17ac61692f4b49cac17e6daaaccbea1601905175b
-
C:\Config.Msi\e58ef51.rbsFilesize
2.8MB
MD54880d687ff243ed21deb86d2e3915266
SHA131578b9c050e8751e725cd82b0b25c71ece7d593
SHA256053cd55bb969dee91bb461ec22aab4f0addd3f656e97a2f34e4fee3a07a049d8
SHA51259fbb95b864fa8020a7582ec8f24be6449f5662cdf96fd5c2fc79e1076f2a5c1d88ce1acd993bed01de7b2827d54893a4c37fd018935757ffe6a9d2541233ee5
-
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exeFilesize
7.5MB
MD5f33e0de70dba0f3230e1cf3f718b9648
SHA1ed831d88ce5cfbe959f9e0fdf9488c7bfbe98958
SHA2567c504514fe975002ce3ee60562c865397633e147aec1a0a68f32edf018b89742
SHA512beb455bc3e8641c000782ee41f5e0ff254c43459005065e95355d4a152a20245a559ae1ce26f8afce94b5be5bd2f116550f7df82f2dfefc7d8de11c6067da730
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianDll.dllFilesize
2.0MB
MD5df7051274b6080da5298c61decad2fdf
SHA133168489e0704cba116af5417f66f99e5c184abe
SHA256bfec06ad20dddb565fea958c273dea14cd510f24be57e8f56d35168632a81875
SHA512506ca6cef3bd7fd8f56e934c97d4e791e330fff492d89575ce40f0123fbffaf3010f9637af3fed997bc0d642b3027d767bd93efe6c37a06b40ba0dc354a994b6
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\LMIGuardianSvc.exeFilesize
409KB
MD50554f3b69d39d175dd110d765c11347a
SHA1131bc6ca3960476e16fbaad091d26e92f2093437
SHA256a57d5ce0cba04806eb0c6d8943d85c5ab63119a99fa8f8000bdf54cccd1c1bf9
SHA5120ebbcec7337387cb7b59a86f80269925f369112d3a9cd817fc9de5d7c978a52665ad3bd6967a8f2b36765974f808e51d8dd59fd1e80149fd5a5de4d987833f06
-
C:\Program Files (x86)\LogMeIn Hamachi\x64\hamachi-2.exeFilesize
4.7MB
MD5493510f5eb2c49efea54e58a83677e13
SHA114ec94b796cd426c001840421c4ce43750cefd2a
SHA256199febb05fff1cca01f7f7672be99d9d0ee73b0371bd63513635dde133f3e2cc
SHA51285b92ca63797ae5303557dc1d6771acb4bc09ddd2f3391614a3f40b2a3604b6c63566b44beb8c65da3436edad44c90b401f8b220f5fb921f287970e50438fe87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBFilesize
471B
MD576ee0d6269ef4316fde97a721fc7b86c
SHA1510dbe93dce5205b47bb6f5d5735479cc1c1b019
SHA2563e0084137ce0f989f85763cd47afad018e93dfe939187a35ece1e909333fe124
SHA5125da30c5c740ef5ec55efac7cace20a15a2f619d597e58aa9179962b32b0b4cc40d1fa317db3ad68e98abebec66ea441a8daa7a9c661a13cecdc3c569e2f6f542
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFAFilesize
727B
MD55a324e98de8b7b4ff27373ee026fa151
SHA12fc865db95881573bd59376d8e42bc0e7becafc8
SHA256ffdcb460b9b7101e819f5e62812459292935df36e952d2e7600ee553696eba88
SHA5121c812dea8a14063e63bad96be61c16c91516123c74e3a383fd4c9cd5f881eaa3a2d6775c0c5f7f30bf3f25b2ecfd3537e74aa46191d46fc6a15f91168fa07680
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
727B
MD53d1d225e6cbe0f0cb27fbed1f2d787a2
SHA14a9c9ba04a020f0dd4cab27c05996208870f92ae
SHA25622efc5a1b57278450df3bc9ac027c371d73389a72d081efcef3868c28c31c094
SHA5124467f9dcd92d22d76d61fecbf95b630e4739f665b778a5faa94c250a23bf1fd1c0c2dce9714b53a09da820ccc2d6cc3a0283bbd5539c40266366a7e733fe845c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBFilesize
400B
MD5a92b3581d0fe24c64748d058fb56c876
SHA1cbe93341d602a9074dd0eb1d2a8e652ca995803e
SHA25637ffda1c332da171db6403f2a38690d6ccd017f0fc8a524266eb721083c1ba9e
SHA5122d0a36645daeaf928277bbc42d8089988a271f6634edf89c12b60441d5092e573c325196651928ccfccaa0faed81bbad06bd9380209e71d5fbf97a2564361fdf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_325DC716E4289E0AE281439314ED4BFAFilesize
408B
MD5aed55f795f81ce26eea54fc926dbbf60
SHA1ec287ebdea68fc8b9db32f0c644db39c998240e3
SHA256c5e7591714303780a45664fbf2e9e8ff365acb058e82a765f6b4777ac5b99b53
SHA512a6a0d21f26d9ef4b96929c9480a75cd9c389c9f510fcf21030595b51e732158b7d3c0db844538f839532ef2fe801090734d808b1c7c034b123a4f223f3d83ebe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
412B
MD522ed2b6b0f3fb03ceaf748779ebe8520
SHA132691c6aab518c03a3df615d47359ea8ba2f58ca
SHA256bdb4de6e3a9978d6076bbbece9f636c35a06e4dc699590cc2c803d15ab2103c0
SHA512f3097c20c5f35c8f84811ba3d04d9a4c0f31522622203334bf4b326571367505ae0dd2652e2b11aee6be616253439563f5e031d656adfc29e5fc25fc0fdecfc7
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
178B
MD5f09f1e5c5c0d4d1a47782a14fb80f88a
SHA1d417f1113c2e5683538585c01bbc213b85f49b56
SHA25646a9b1ee2520f8f1c9b51c1682d3a4715c1865594783d1200d7d2607bffac4a1
SHA51221313ea338d3b10c4f55bdbad8f1c7479d1a50c2d9ec1225163bda1a1fecde2e652b5ebc271a10ca45af3c2619e349371ccddafbf77cfa79c255835cc0b3a959
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
343B
MD5050b662de562724e2e970c6b1fa54f2c
SHA1bf66591dd1acc6148a2385cc09097ef80cf97e08
SHA2561ae15cdc54a53fcbd7c47dfbc2ab33a5820cbefcf49f05f6c479b02791d7a97e
SHA51230ef3772b7925538b233543004542e2f656f20df64e8d2f052d25700e2060c49cfcafae4bbb4976ab725ef6b1ec1906a004b1790b883246260bc0db93680f260
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
1KB
MD590e05b27b7ac8417d5b1b8bbded48303
SHA13448b3a4106395527140425322ee40edb98e6543
SHA2564ec047e04a3f83f258757ee2aecd1e9b4bc34f7b74ba4da88f2b777ba09631b5
SHA51246cf8db16bfbcdad515c55824c90c3335132b880815a5ac4051e21e31e5e93c36b2db89395beffae4de7341091485af2b4a06f20fc29e52e4be33fc499e4c1c0
-
C:\Users\Admin\AppData\Local\LogMeIn Hamachi\h2-ui.logFilesize
1KB
MD5768075c152c2dbc698a8cfdacf235b5a
SHA1bfad06f6b854a21911f770ed3c96ebdedb0370ae
SHA2569d0dc8cc12b5c389d51ff17bda32fbdc8a6c78d92944ea4ec00f527e4c72f1e1
SHA512d5e2ffd5fec8e5274e6ced7faea45cfa7d6117987a8aab53562e9c8d810a6aeef9dc75532ce8d98df6a8550160cbbf70a8e00e98f65666da80127d9aafde4dbe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000aFilesize
67KB
MD59e3f75f0eac6a6d237054f7b98301754
SHA180a6cb454163c3c11449e3988ad04d6ad6d2b432
SHA25633a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf
SHA5125cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000bFilesize
41KB
MD5b15016a51bd29539b8dcbb0ce3c70a1b
SHA14eab6d31dea4a783aae6cabe29babe070bd6f6f0
SHA256e72c68736ce86ec9e3785a89f0d547b4993d5a2522a33104eeb7954eff7f488a
SHA5121c74e4d2895651b9ab86158396bcce27a04acfb5655a32a28c37ee0ebd66cd044c3c895db7e14acc41a93db55463310425c188a7c503f0308ce894cf93df219f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000cFilesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000dFilesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000eFilesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010Filesize
1.2MB
MD5620dd00003f691e6bda9ff44e1fc313f
SHA1aaf106bb2767308c1056dee17ab2e92b9374fb00
SHA256eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586
SHA5123e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002bFilesize
36KB
MD562fd1704573f0a1ae4c7db83f9f5b470
SHA109d03a37492cfd0580ed3b819386bbc4ff64d960
SHA2563b14ad4d4df0e681fd5aba556473e39e52b31ab98f51dc3db4937bb641a6d667
SHA512c8108393f8bb91c018ee06ad51d746a33e24ad9041d5cd84792e4c59fb55639b8042ed5c1a424b47263652182ceafe516d0b6adab147e33bbf261d6aee1d3f84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003cFilesize
20KB
MD587e8230a9ca3f0c5ccfa56f70276e2f2
SHA1eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA51237690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044Filesize
4.5MB
MD58452749161e316d452945207218f3af8
SHA1d214450a4a87838a49a65172ca5c121a08dd865d
SHA256b10427e55547ea180a36def8bbb6594c535a8b7f1c4195f401dafaa9b0989e02
SHA51262e4e072e0349609dc6a7c79844efd9a3e3cc52c7e6b2f7a7bd4ed8ddded44e85875b78f62278ded1c70669c342997fabc084063bfd6bc9e5f6f750cd94c5e25
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
312B
MD50e15379740eb3f0808caf5978445955f
SHA181c863286bfe3a9f65e8d15e94aab455aa54d64d
SHA2568a8ade9deb4fb4f9b8451b9155812c91e097cda9695abdddafd34817ed7dfaa6
SHA5129d308438b82a809a9c416c53af47e57cc682b342977197667211759614629a83367a7a2314dfb6ce40ba9d6e9bba7ccd27c0620863e8d2c83cfb0b7e45551150
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD56f141edf518583b6965b8f8e1f9e4b10
SHA116d1fccdaa5e5f5bf3aebe4fafe2e25d7b32b639
SHA256f23da2206c6eac1555bcc3c2a87a3e784251c96822f2fa0cf482454fa4c6eeb4
SHA512b71c4a397339ac19f0876d76bf8db9da4b9d8b7fdca0187912457a8b18b77209809a27ef4860385285c0f81f2581392aefdbf855914df47fa364ad2d4912d193
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD5d662f40905b24041c9c62bffed8132e1
SHA130a40922e8c2eaf59b9e1f7f957fcc98c19dc6bf
SHA256ccd44a03103e2255c35c4e9568a16d2502e4be439268dcaf8a29b2e78ae542d5
SHA51207ff0db9421305752fa6f4a2cf60535e06d157c28d18b45ce7d0024d645a47b16eaa1a06b8656dcd7272361b7013bc78fb9eab1c23ba91c5ac7907e33e8da5ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD50e456e75a40f73bb43acb9931281ca97
SHA14890f66670ad6ade7905dd363fe3ba713bb231d8
SHA2569096b8f791eade5b05871ec655b7731d65107d9cf100c0bb01ef130955851742
SHA51238ceea01a0c6f59992da5f532bc9608a13520abc0c1d95c7dba1a5cd769535a4c08cfbb27710790b1ab7a8adc6bef1227ae8b4ae383810bb66d5f72d1cd08c2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD5c8184b13561b9a1d97cbc5b5864816fa
SHA1c01127d2409d3e1e46b1593a2fd9fe23d97604d9
SHA256290ccae6a7021b8bdb64255464dcef2388856305d10367593db04e9bac98df78
SHA512245829b886d6572c7de9fdffdf02ab5c9cd4f50930aea7992e6fc1b75217e7351fa40a3e4050013537c303ffe187b828db2c04e3a1c3a149657ba64834a1092f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD50372ea25967cccab9deffa259502d5c3
SHA1c8035ae2478fc4008027194de6d98140dd30f420
SHA2564f1c7cdb783600a5c7f7b6632bbf2a21ef0fe18e9b4f9b665732b8ccc18f7466
SHA512ec2feabaf51f4392307724ef7673e548eb9f71b6adcc2687d0a3ca02095979930f3399d8e88508a50d9053b08c69d4bbd0d88e231a5387ab8218acb2e6a3c4aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5b93373c0aad8b8d4cdd91589b0ffd9f4
SHA11e0421176e46d89c3ed97672d02316b450397181
SHA25627c6e8e35fe15f6ce078ddd7c43a7b56938f4cd587985295324cb7aa1e2aba59
SHA512778553ce528fa5b4b6b9a67867faf8143942ca293c73efed218aad0710126dbb56b0233e7ee7caa7c1a484cc6a670b1709565a08d4fb06195c6119da31546998
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e1b5248eaedc8e40578c8dad5bee66d9
SHA1fafa2a1a1cad143a4879da39fdc8cd0771d3f10f
SHA2569acbaff434f8476699fa2c8355fce2df1d262983fb5aef9d0a22ae74d4d87dee
SHA512eb81aa8bfcdc0605c98347866c6d9cfae7c3e5f069213e7ec40f1d89249aefcb23d1c44a808ff720d2014da71ac713cbbcb0e4d6497d6cf4541e0ceef14ac2aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5370ce242efb38b0cfc3d0c0f01dae995
SHA1c268ea9de6eb8e9ed2610ec81e53983d2f7a8bf1
SHA256cb8ef3fee77fba49c028f43a4326da2b176f7ae34bdfffc1640e8d46fd2728b6
SHA51205a4362ae6da6f258be6f53bfc09e0735aba40ff7b3b3f324ce1610ab277d8a03bea26b6a16103f7628619aab1f08bdddaf8f6751846c8108d4314bedf7f4bcc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50f95156070cdfbe20f7f5a5459c84c26
SHA1de5da74445315f0bb68dd3ce9b15ea63c4352d1e
SHA25675839f42b3582d08e57dd8a22f4fbd68f76fad01b799cf659344c78f09931d39
SHA512864b22729d92330b69450e3a0c89891956f06b1aad1ddd0e2e5e12d32b31246cd48a9849476a0d679ec732eade0b1de5582c16c717e2f322f0d0e2a6e82d20e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5ce609bdce10c06cda1719aaf94263db0
SHA133629b7828d47491cbd019a029425ba919e4445a
SHA256df9eb89850f0663ce9f8b9b4cd81563b1b55ccec3f8132d5a001b173977ed2f3
SHA512fb1223c99629b1042c785f1a130c0d3c136f8f902bd7a3a31c9171b5f289e6102d84fa4a7d31ef1fdc78bb70bdcbdd82156b21c57f79bb414a19fd04dd952aa1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD500a008c22fd6ae6a555ebb61232fbef9
SHA136a7d01302ef291939cd5cbae7ebca6b5c091895
SHA25670eabf4d274d3c29ae2ad17236e4061ae1edf3fe710ad0af5ef2d0c3a7928aad
SHA5125dd29769410704e4dbf1899c809b00ad7ad04656b28824833566baf630c380070a016adb3cc87ea71dcaba9af359b10ec80fdf7efa90c5ba1a8c7117365a06e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5debe963af13846691fd0d2162c28537c
SHA1d528aa894aa7cf23265373832489333bfb4f40ec
SHA256f453513fa4a6833eb28f98c8ea1825e54200f7dd0452cab4a7f2df60348a50e7
SHA512a7202e8787470bb35b38fa53b319c16a88150697eb054f739e53c27f33c48ac0a319fc99d26d3514435bef415d5662df5ef541e137092743857fdf831da34e8f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD566464068b6f36e0cb88ed8572807696b
SHA1ef0bd512b8ad26eafe8d61a43f508ec1214de5e9
SHA256246eaa154835f8adac7246f5e0427d4f45331bdcd978c9070bbf79091e840cc4
SHA5126e265c3405f6b40b32598c8bf882f43304bba4b2bbc22d6af4bc7cf9023bfdba2e8813cabc7b8545f499a882d3025a013520229da73df101280723a3de184080
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD561a87aef8f76677eba7c934c3492df12
SHA15c9d0ddb2e43463e7d0171e3cf1112a54db190e5
SHA256bad1193bc8e4d4ba9a956e498679b67c17648eb63fe0c0510703b36815e2d4f5
SHA5124a2d56d4c7d208db9fb943130cb276c8f11f80ba86d10b199f303b57f1b1c7d72cdb3f86b9d256a19b9cf80d416700309dd3d62c67b16a08bbfc33d1c7e900be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5c2c2ac648e8af501dfd4d86f0e511c67
SHA10dbc60e74df31350b4836771d22dc8cdcdb63583
SHA256eb7c3027611adbef99aeb72ef3d8f81d73fe0d28b48bf59d27dc88279ec279d7
SHA5128db6f8b0d00afb38e4b757941870634e37dfe44c5a13c1f8622379c110340f4e113ea029d135d6344dd4daa8c7ef8a0db59bb204f6c2f2d9f25638a6134a8a09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
706B
MD58f7b9568420775866206f017f715fcfc
SHA11f0cd9804ed3f1d57ffdba4603ff4e32842b6440
SHA256ded5c17361cc4f585867edf775be2ddec81ea467339e5973f9e52e41589420b4
SHA5123088e3a36a98ab6098dea18435a30581139245989708e720558a46626346f45123cec8f1d57d582961e14534b54323b9aff8a0c648957edf954213a69154fb99
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5724d5408155d3bb34d8521ee630a7f62
SHA12f1e3ac66a340f46932842dbcb13b360c2cd7c29
SHA2564db09ca9f7687633cba7e4499fe1d694c03d35254a1debd414a696ebf83dc708
SHA512116e94be5bd57ba05008d6af3d7b83fb8729f480c25bff537b492a235e357ff950e5fbfa6e56d24675d305795a9c3d127d4ffa32a95c6108ee7c71588d75aeb3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD529e20e7cd57496b7daa1d09f1407533c
SHA1036bc5316c8716cb61408cfd69942c621dc48a77
SHA2568c253007e85cbcc88ed29df98fdfbdf36fa4d2fff25d44eff3862fe7fc13cb1b
SHA512d1178efa96c8019b64a9e58b55fc6e2a213833761fec61fa59a404308f1b64d5f463a20632cacc101517fdcfa21fadec4c3f15e51168cb5fa7087225e6150d01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b2d5.TMPFilesize
706B
MD5c713d44d4f899a8f7a6edda966dc43e6
SHA1d1fa689dc438cc848ccf996224a0cccbf20ca7e3
SHA256cdb6048993be9e36663a7ef64c1552556dd934b980f39f42c8ca0a34b2b9607c
SHA512506bd0c1a0ffd964102ec6b82a8da7c4e0178117f8fbf3800e80b6af7b84cfb895a4ef57acf6eca5ae7837a51ba3ed923212018344913e336f9e2612236a5c4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f4851f01-a0d7-4b8a-b5b4-fa56e35b5bec.tmpFilesize
6KB
MD5f257059563c4d36508352b06113a5ce6
SHA1d3755693823440b529a0733482bd696a2f08a533
SHA25626fbf1bb289fce61aabc696efef85bad1f110d7e36ca9fb50326c4ee2c5f3207
SHA5125120261ee79f49f5defb05e2ae4265d7b26a4dbeef14ce759c7d4dafea9deab24621c4d58fb3507573b4fd01ae98bb696078e7aa9932cb8d6b40e5ebea8abbd7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5449547232e10578e2e844ff3992fe6d7
SHA1021f8c5859de7eedc0d41c5400a58813c1567f89
SHA25677dc3f77eacba2189da0f194dd646926925e3babcc4c6c8efe7609dbfbc34a51
SHA5123c069c47cd381e5a93028fb4422861e5c3d33a41065cc9aca9e31d4905d7f16a69c75f6dfda6bfa3b5b427de0c73cbb94bfed57a165c32d591be6ab2b2274c18
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50b47e8c120c06e5d72e2ac8f0fe5aaee
SHA1fc77ea70d903edd76571f2226fc110fff9877429
SHA25602f1e5321e348685c19d19b9b3c5c739ed74b215d9676aef49822e321f3fd4c5
SHA51252424d6f71065eb0f8072f659d298602a64d9b6595253a5bad8e6a894a23dd939232bbe2b48930f9169604a5c2591db0fd5a392462673e567e30ebee691b1c2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD521ae05308945065302a46cb5e52b74ae
SHA1561e193a7c56d2709cf95d305aa430c905027624
SHA25652bc51f60d6552b97febb006be77eeca627841a8146c6652e4cd85c9a28cb538
SHA5124cd37e912feca19582c4714120f71ff44f660216310d5b64607a7b0cd85aceb4d7a10b6b21230e34079a47de8845c2385e3b6642c771a35ac8147bc15a8fbf93
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
387B
MD5575916473cf142862b265e2237d08f34
SHA1e6221347f0eab56d6a68f36e3f14a0625e0410d5
SHA256bae9e73bf6ff5b59c7dc273b591b349ec7cb6d42d98e4a2ed8fed10077e134a1
SHA512c94e1975201c208fa1e3333b5bb9e03d3c980465e9ae9cceb848008a661b9cc63a518b26a86de190459ae8d2066ed00d2af6ceb7dc74bb8cd1eae9e489cd6825
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
584B
MD56d68bc6beb693c34235e9fdc381427d0
SHA14df32362e4c5a197239bfa78f0b4a0b0291f4e7a
SHA256246018fc960986c869a1c15e8dc2412f5ed56718d63f26f7223d401e4407b972
SHA512be9312cb2c6cf520922a70391b00ebf325b3776435917cff4f84639c790f50a144b9c5dc2b902923c7e3e4a1bf26a7e454fe5c80cecdc025d486c915b13c0600
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
1KB
MD5d0cd260f721cab3515cc1125f92efb9a
SHA17974abd6345eb07330e071b817563d6329652d83
SHA2560ec94d5e1f90afceab6240a71df3e1c167f5caf0ac4fa70968877a23bb0727d2
SHA5125509e02a57a2989eb21c5143300f25b0dd57c2b0f9c0a85ce09cc06758c793de19654305f17bdf1dd02c4f25fdc6448ce48b65585ac52bac6a0663d9c27f8686
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
2KB
MD5e070cf7ca2696e4f7caffbc532f7734f
SHA1cedacd5fce07b666be28b2f7270c0f2ae584c209
SHA2560a018e63ace52d90904c00c42cc220991959e72b860ef5aa0b5367dcdb2eff5d
SHA51243f333b1349c0f52d354099531675e0d2d2b46cdffa3b29874cd34e5d556e7b628f58279f77b32a42dd97603a33c2dca1031af6dd08b474d5631a4f4ed7bb735
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
2KB
MD545430327d7acd073fd9e03f0235ae909
SHA14a860f8c7a7ddae5ff1010e385682db0b7680971
SHA2565dcd76d947926304ed75e3eb7b6b308c89492c58e1b566c57580a465dc0708ac
SHA5120892c8e1f572dba58b55a2029f964857b254c18ef0c01f73ffc263a756b2a4560586c1e6edd0c59e01c330aedf6ea045ff5c414f7ead34d441e5a546b6e20fdf
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
3KB
MD502bdf4707f55a87f374673b2f1899327
SHA1d28ded43cf54b1d4a1cb21ead8516de25cfb7fa5
SHA256f074a3ac103b19acd6e9bb00d3406428f591cc4f85fe0c04a9fa51396bb86a6e
SHA512de778ca3ee8909f3f7bf52cf46cccb2867850d3983614ef975a616b8838ede832874b666a5170ade7c5cdaff122f969058c2234d0e264d018ddd36612fc0e158
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
3KB
MD51deab569183de40baccc374e026445b9
SHA1672346be578842de7b1338a4838f783e009b4615
SHA2560ea0d2f4794521e96442d0b412a0eec59562d4edf61dd9ecbe5acacb2d7fb19a
SHA512b81cf01cd40f7789abf82b1eb54ba875edf1c3f52f6b9fe0a5388924ab36a67450946398954d025e4a20d7d20a22b25af39b687b98aa09b6804cd27495f06152
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
3KB
MD5a8bce873393d6ec4afa9eefd057f83fc
SHA1df6a252f8b6803d6327c7c1cea8c714d3fedac9d
SHA256f69e1f345e32d6a7845a1c267870db3005f7735162539335dca408eaddfcf539
SHA51291218e17429bfc1a8ab6db2bfd97c34fedb3b077fd6c37daf54dfb00e495753edc76dfb320ab149a026371b4951fe7c946f71762e5c5a72cad57e1418df43ce7
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
3KB
MD5ddd775b7453ad2304368bbae34210340
SHA1c748d8b24342cb00a38410e1957c74f2f3762e23
SHA25658fa3dc8c4fe94c7a568d536f895990d395802cf0670b2ef7adb0db829c8db46
SHA512dddc1b48aaf72ea526341ce0f4cbe8663ee99ae319a4dfadc6b4e8038f4aaa643423d581e60c7effaef10fd8e596480766d2ebe61e9dcd555297961622108e1b
-
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.logFilesize
4KB
MD5b3ce8a1ce546f8a30232c9c44cc12e20
SHA133b43b00105aec15da4db17bc0946c89ee8638f2
SHA256dafc7b686567c427a4ca63ae32c4aa1ab5f0483a4a9222566df886cf1de5fb7e
SHA512212c30376bfa3ac42f6b6c957174af4b4e01c774a37b7527d3c3e78c6530a23836698c22c1f834175d15e50758b764d2181277bcc80a0a69cc1b48b2d52227f2
-
C:\Users\Admin\AppData\Local\Temp\MSI6E7C.tmpFilesize
588KB
MD5b7a6a99cbe6e762c0a61a8621ad41706
SHA192f45dd3ed3aaeaac8b488a84e160292ff86281e
SHA25639fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d
SHA512a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642
-
C:\Users\Admin\AppData\Local\Temp\MSI78E4.tmpFilesize
2.3MB
MD53bc82080d6356dae779eed5135fabf66
SHA1022c84f9cc59ec45315d78979497cd061658aba3
SHA256b076c9b888b130fb2fb5a74542c9a73322e78ed1f3f8476be7a8209a20e56f7b
SHA512041cd3945a22dcec792f45abc7f95b9fb7e68254948f0bfeb49de6b3501a0e13525454aa222dc4b903b3c9bafd4e0ffc2e5a99bd140238e845d3fcb7c496afbd
-
C:\Users\Admin\AppData\Local\Temp\zerotier-tray-icon.icoFilesize
361KB
MD51a6e3ea70c6612dfe3d2638ea694d523
SHA1bf366c47cc6f33f16da614330013a21a639694ed
SHA256da01e8a890873bc9b29a50f172552666cdd7b3cffe89d2bc788f2b24ee8dd022
SHA512d5c9e3ef39baacbeb273c6a03abf803b7141d4b2893f3e00cdf315f2aee2756ad43bdd60df0df27ce105a2e891b234d75d85504d67877e27cdcd01ed81cf97fd
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
3.1MB
MD5f3802bd8f99e5c9ca6c04a7addc2d0d8
SHA196c6b9feffe04c5fbefc48802ac0635f596c6a33
SHA2566dc99f25c5f794d14323fa2ed8ec891ea2fd81c359d676052574585471984d06
SHA5125eb55bf1c70c40124a4d4df4c20ece52d6ed060c874c01f1fe4b130056edead2dad3a3dd919a487f2dec03d7e5e684883770c48e53932ac7c44b8ab03dbb84ce
-
C:\Users\Admin\Downloads\Unconfirmed 106483.crdownloadFilesize
13.3MB
MD51694ee8a09ebbe56390c44bae9307406
SHA10f1886e199b60d9abd87e786e49f8a0557031052
SHA2567aa6c2e38366d1b553ce56e67f35cfa687e4ba0f7c3eaa404f5ba2449af9fbe5
SHA5128417fa25bd4769e747e539804c92223ae88c1879a8c9f3aad5e3a2f990db47d1cf319f3777cffc259fe6bff0312664f8621434419fc427d67aafdc56aa834c18
-
C:\Users\Admin\Downloads\Unconfirmed 180415.crdownloadFilesize
10.5MB
MD5316fc65318bd86fd3b71593501825de6
SHA16ae35fd08375d0fda71816125a7d18b4678821c6
SHA2564f844eb5632cb7484499ba1b237d91fb2fd4e97176864ede6e74ad33c599c135
SHA51242d7621f41ae60b7f1935dfe2c12317e8e103adf804b80be8d01223d070707cd633fe900aafd7ec0316d485229e95c1d45a501a2ab95609939f29c8e367438ee
-
C:\Windows\Installer\MSI8664.tmpFilesize
400KB
MD5989e7044be092ec5dffeab701aca2b74
SHA1ad9d61155222ba270e3efdacf1333187cffd648f
SHA256fd337377af9e152ca1b9123fb7609f6687d1a0beb78d37422639a31bfa712340
SHA512f51bf77be853111c3b1318467209cc2ee3e840bf42b7fbe56fad2e012eea7333d512c9650009919ca1aa272a58f5efddbb66f120c523edb8a9224c3a783869d6
-
C:\Windows\Installer\MSI8675.tmpFilesize
833KB
MD5926f97e932dd65679b78439ff0943ca3
SHA1c780a762ce0ca865ed515e14e8908307ed7dad22
SHA25612993932e93d9b31482836832049fd3a8f64bb4e00f2a480eef936a9de29be38
SHA5129a0fdae0ba22554c8ffd024d6b7111df3aae93ac16f9ca32cc0839bf62fc0e1bd5e04f72bc371f04cfa1f4701c15345919abf12521328e66e760f83869cce7f1
-
C:\Windows\Installer\MSI86C4.tmpFilesize
431KB
MD53525dbeca49667f19b8ea6495909f441
SHA163b4dd0e082bbf032b9a6b5f4390091a62870502
SHA256725f2c5c008a39a8ceacdbfb5539b66535b0d4d886bc9d95aa54917d83cbb0e7
SHA5123b4b960fa95b546d79c081208d8d6ae240d421411cff85585862fd4d89649737d296687e568fac56229599512abe3a18430502dcf2fbb9373ccc92824a93666d
-
C:\Windows\Installer\e58ef4d.msiFilesize
13.7MB
MD5909db4061c32f798e94d746717782444
SHA110f5ffff17d2dd4476686a941a7bcc5f9b83b1b8
SHA2566ee98db32852a2ff31a969d918bb7c730950bb15f24ea1baf996697cebc8b9fa
SHA51244e7f97b27aef2e4cb62a6a0ebab5033b99e1ec940f231eda416f3b68d83df81d10950a8ced2ca528024adecd1dea7e1d4427e78b111edbc0124d7ffd6c1232d
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.cfg.bakFilesize
1KB
MD55919a4242a1fb169c68317d18adf2746
SHA14bc5e0bbba80f43fc5bda2d45eacab772fe8a302
SHA2567e5adb2f62eb88481057a6e469ed552b15beea681c3cc4ab37c96b458d1969ba
SHA512e2b7cdd9831e3e07887b9fce9b940845158be0c0e632705f318d12d21d785af7ec6e7c45cbd5675a024188bb7fcbb0adc28f317767aadb7ae4fb3d9f0c29ce48
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.iniFilesize
474B
MD5af32645d7d08e465889b33eeeb5d2143
SHA139207de571480be4607af29dce2f66cdc6783946
SHA25619617643f90f5fe60d4fbd9a8bfaa0f1763105a6a8f44997a4e703d269581647
SHA512a3a152e3a7431501d08db93d43a385c8d4ccdb748bf01d9f0d359170c3a51686fafb910e9c6aec82885bcee30aa8e1232afa9ab3558bdb0f209fb075eeb00cfa
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.iniFilesize
474B
MD5ade722a4487730c4a812aed9306d4a45
SHA1903db592b3a64c6cdc9a12b8d17cb4b06e0467ed
SHA256a6befb399f691e7cd07e2ffbf1e7573f4e0ca61a0d0e591b0c3af7a98c91e4e1
SHA51206d1bf2fa20143d52cdc0dae1932f0c99ed8e84b19896979481482ee59ab039142e3f33eeccf53202320d2543b09e1bda56f67fb7f381298a62a40a084042cd8
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.iniFilesize
474B
MD5d9e8188fff0a4d27bc91f128db8f9762
SHA15e57392a6eb4e8e867eb1952e797280e39690437
SHA25639d29f5f710e53ad71f81414a5cda3a3e68d1e3634b8efbfe8bc2aa1f472f292
SHA5124e255da2118c7e22784a9f431b822405faddfe99d8c96778944068cca668f9af4d20e0b20189d66af36761948958c6cfac66d2cfba25782218fe51c7d8f238be
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.iniFilesize
474B
MD58cffeec178a536a92777e0ca7c5babfe
SHA18f08c2a0ee50f611af322a7daba8766b78896a66
SHA256f45bd458ecdf3c847e5b7a858becc7a5916cbbcd3cc7d5a355ea29813643aecc
SHA5120ae8230497357ddf61de95cea0e3d2397838892f4558c00df98ddee16ce0775355c305d38be4193c21810c709913c2e82fd5669b27887c330fb21c928f0011b2
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.iniFilesize
491B
MD5b60034a909f1c768b49f8acaf9f0bfef
SHA1e429bc7f07a37591bf78fd32b60f07cbe695cae5
SHA2565c87efc1ff7050daa57aa7ed9214f341b186bbd71c39b742a0cf3495a18f917f
SHA512d1d4fc416a131e528593c20003603237c15eca31f1f0ca52807bc17d0f8166ce66ac5b4816f7f2e132c496cbcfb7f6d93c045e094c2d18d900ed181a5e21ebf6
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.bakFilesize
499B
MD5892bb8ccae54a334d22fe9690a2642a5
SHA104088c2f0d8d1e6be1a09d586fed8cb8648e8452
SHA256b5db1443d02f02f17e6e47a0d0dd7832002b42bbaa1491db67b01965502c6404
SHA512133c2d0e9226204a51ea00643b6b9e6c16871d625d1aa7a052db32691936cb819d9248434832190ee88bf8bc4efb14982f681b73666d53cbdffa1432784fead9
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.ini.updatingFilesize
7B
MD50f81d52e06caaa4860887488d18271c7
SHA113a1891af75c642306a6b695377d16e4a91f0e1b
SHA25627eb5e51506c911f6fc4bb345c0d9db6f60415fceab7c18e1e9b862637415777
SHA5127ccef1661d9bae2a1a219de1d53fea0e2441354e4e4c3e111f75bf926fb12c5b0e6e7824200cf65dfa5686216b9e67436038bdc69c7ea7621f3c67b481510cd7
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
605B
MD5acbd97eee240bf37c07a41de89ad9d33
SHA1496d452cfd8db4dab0ef01aec4baf644e5cd561a
SHA2569b2970666542096da24af2d8082369e5401ac758568e6f83c22f01734cfb070c
SHA5122dab084239e21cfce91dc2f655eebf2a9f80e5a3895b060a4f63b845a8baedfa6445529cc086833701ea2210d6230029c611e052e049e791e79cda30efeb950d
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
966B
MD54aa8e3e461af87e5d1e2e13638ac6b76
SHA185c2ff791273c825e7f7250494560325db73f567
SHA2560e95110007b34d4e00c1498924601bf8be7276ee55084adce402cb6facf186e0
SHA51271cf81c61af31199bc70ce1407cd916338db69dd9703dbe77da241936226b33651a9f3427e93f321460190fa74e99096e67cfb6185b006a1f3516cee1847493a
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
1KB
MD53eef04de70851d1f6288426073b5ea67
SHA11c5d940970a8485a43f422aae41129de6770e390
SHA25677f3d5b3427caa6c2bb46fc07a6ceacf6bc480891ba7fa176db6dc5497572f22
SHA512ca957fbbdf7d3b9a1747337a109cfe659c5156fa59d3e0e0c76db23a08b127c4001b3b6dfd76bdd9670fa6e3646baba3cc6a0c848b9ee7c7252e8c9d1aabd315
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
1KB
MD58a7c359235f722d31cc5a9f17a328793
SHA1be0c2a3dd2b0ef0f0362b6e6d943de51bd588bec
SHA256fd8dd4caa4a14db6cb85faf715a1000b0618e55f67f99b1a2be0a1be9224c8a3
SHA5128570759fae40a27b3d404ae927db25e5404cdcde0a6213a0efe38c6b4b8e323dd8d6aff6ef77942e4aebb2cd062ba3a0051d0ec8f26c0b7bdb0a2c982a5e39e5
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
2KB
MD5da31a1c8398502c8159b8ce4312f05d1
SHA1dfe33a76f14a6cc6dddd4913b48c30e92daf5618
SHA2562070845c8269ea715afbbec1a4da0194c3fcc7fb00503776dca835f588d93501
SHA5129e3bacb57e4786edb64fc1e469ffec24fd8d0604cabd79589de3c99fe0c05f959c12d1238a869a85fa2c53341431fc976becadfd7c3d8cbcd1dd713bb83e444a
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
3KB
MD549896e9c1e02c733989bd6fb70413c75
SHA1d1a0a7d528265149d363f1a91f09a34cb997568d
SHA256a6f766d9af5205cbee823bf9add8d03bdff8f13ad1d604dcac25bc18c901b149
SHA5124b97046f4b592954a8c74ae291932c51478ad6e81e546704475376b50d8d6e0b20a785e3f9a6d8f73acf3e509262bdc9f75572f90c8bb3b2b5530331b59cac27
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
3KB
MD583f4d83cd50698660307cde8d02ffb14
SHA1c267eb4e707c6c5d78f61defce5be2c64f9e3c6a
SHA256b57e40547687db6175ef6824ea82e8a021cc93cc5f28d47a9bc17182c42b964a
SHA512f055e463359a7ebc44e003b1a45725c9bc654bb4bfe149c601eb83ccbb085b37bb83492ec952fd55f6070bbb352db732ec32e3fe76e8eb21abbbf125f49a4a29
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
3KB
MD5f03f2ac20b08e8be929df3927193b071
SHA1187af37130fe6e7b2d1703a09d7eb22b71f6d873
SHA2565a85dbe732dd07fcb094d8ce9db610e8fef983022d2323799294a226f2902b30
SHA51281be90751a8117fd14fc97c7c958bcbc2a9e0c5e13723fa90e25c0235c0c75f53ae00eeaf30d71320dcdb6613f1c2d5120b7eaa0820a3e3253d8d481285c8609
-
C:\Windows\ServiceProfiles\LocalService\AppData\Local\LogMeIn Hamachi\h2-engine.logFilesize
4KB
MD56b1ea196bc987cb881ced0fc7b4636aa
SHA151a5034d5850bf1e8d430d3a225627384f0ee9de
SHA256f6806750041ec9de32f2d927215b553dac2db78f53734b3d8ec83bf029763095
SHA512edac2b3e4724123eab877a22dba4fd52dccac03f5c417b3e3486e00c5db98c7ed661b6ae5ded8967a4bc2eff56d86d4965c572973fbf9d2b509200f3dc99011f
-
C:\Windows\Temp\HamachiSetup.logFilesize
1KB
MD51d536ec4b7d5b2714951736f457e4441
SHA101c44f121233ee20d33d5ed35df212e80d23a282
SHA2569b1aeaf3f04a4805cb54f090279343a9db21a837211d09939b37cdfe81940f7f
SHA5124a388b748f0ff9c36d8e425d49aa856f9a2f8879fe817d1816587bdb0c97e42f5ed245780c25f21838d455b6dbe33515cd64b6dde722e0c0fcd0cdc06f15872d
-
\??\c:\PROGRA~2\LOGMEI~1\x64\Hamdrv.sysFilesize
44KB
MD57f79205b4efa98f0767309479c8c01c6
SHA19d546dda7536a85a3f4228e065967be1648ad901
SHA2564b576903a83f33a8cf31d3887144a3d51c56d1187115c83ac99c0e9f6b4bf128
SHA512418ac89f3c5996de50c846693995145e314d0cd7edee59f0cdc212720d84be1351827c7ab02e870d1940288f5c4838d39c77fbc9847b69ab5fce5d74400c19ca
-
\??\c:\program files (x86)\logmein hamachi\x64\hamdrv.catFilesize
10KB
MD5f49c69fcca067884f38e9cab20ba8920
SHA1bbe2113cfeb8b9a2234d97849c05c4a72b368a7d
SHA256e436ceef0126e703fe48bd669e3748e468b6f8027a8b6c2ae779f2911e65331c
SHA512e233dc261ea650d0cc01834591ba5c7e113daa23da7ada913c589ddff13c7d5b946da5f3f649e81de9afa664d0c4bf5b6fc921e359c252dee5132c8f584c60d3
-
\??\c:\program files (x86)\logmein hamachi\x64\hamdrv.infFilesize
6KB
MD5da79247b2ba817d655c2db44bdebff1c
SHA1fb62be8194096675dace18cd1217217ec2f85777
SHA25635e3427711eb7e0645d3f4ffbc3dd73b16e96ef1dc4c210db1f67229283f414a
SHA512e124e5bce81d09713b959a54da96ca7679b9880e69952faef360c7f0311a6d85a97d377281edbae22e61f7e3204847fb4eafd64a15aa97079bf9cda2cf1f0328
-
\??\pipe\LOCAL\crashpad_4840_IWZADZYEPBGWEEMHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1868-185-0x000000001BD20000-0x000000001BDD2000-memory.dmpFilesize
712KB
-
memory/1868-1781-0x000000001C650000-0x000000001CB78000-memory.dmpFilesize
5.2MB
-
memory/1868-184-0x000000001BC10000-0x000000001BC60000-memory.dmpFilesize
320KB
-
memory/1876-177-0x0000000000440000-0x0000000000764000-memory.dmpFilesize
3.1MB
-
memory/3148-264-0x0000021A7C550000-0x0000021A7C551000-memory.dmpFilesize
4KB
-
memory/3148-268-0x0000021A7C550000-0x0000021A7C551000-memory.dmpFilesize
4KB
-
memory/3148-269-0x0000021A7C550000-0x0000021A7C551000-memory.dmpFilesize
4KB
-
memory/3148-258-0x0000021A7C550000-0x0000021A7C551000-memory.dmpFilesize
4KB
-
memory/3148-259-0x0000021A7C550000-0x0000021A7C551000-memory.dmpFilesize
4KB
-
memory/3148-257-0x0000021A7C550000-0x0000021A7C551000-memory.dmpFilesize
4KB
-
memory/3148-267-0x0000021A7C550000-0x0000021A7C551000-memory.dmpFilesize
4KB
-
memory/3148-266-0x0000021A7C550000-0x0000021A7C551000-memory.dmpFilesize
4KB
-
memory/3148-265-0x0000021A7C550000-0x0000021A7C551000-memory.dmpFilesize
4KB
-
memory/3148-263-0x0000021A7C550000-0x0000021A7C551000-memory.dmpFilesize
4KB