Analysis
-
max time kernel
600s -
max time network
590s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 12:59
Static task
static1
Behavioral task
behavioral1
Sample
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe
-
Size
153KB
-
MD5
1b51840b9af837bd65732bcc6300740e
-
SHA1
4899fa8f8df8bc923bd300ff079ffb89e960890f
-
SHA256
7762218a83a5727fb397da102dff3b99419bdd0e0f15c1b7f09898010faa780c
-
SHA512
115b9d7f520ef62fe323a7986131c11a14ae77237a9a63637257827665f9aa7b1bf876a35abada3f2f0eaa68794efd75d355e086b3188f872d0752b7ac96cc92
-
SSDEEP
3072:QGXG0qvTNFMJFHXQEkQkS6vmCNQMblOZhpwXuqOmg:QGXSvTNFMHHXQHQkjNVl4wXBz
Malware Config
Extracted
pony
http://67.215.225.205:8080/ponys/gate.php
http://216.231.139.111/ponys/gate.php
-
payload_url
http://123-engagement-ring.com/F2ziEErm.exe
http://sultanesmonterrey.com/6VRjCFx.exe
http://cafedoc.info/BxvUvh.exe
http://butelii-oxigen.ro/fojJM.exe
http://aurangabadproperties.com/rfoMUzmK.exe
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3696 powershell.exe 4980 powershell.exe 2544 powershell.exe 3796 powershell.exe 4420 powershell.exe 1188 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
Processes:
NPFInstall.exedescription ioc process File created C:\Windows\system32\DRIVERS\SETDFE2.tmp NPFInstall.exe File opened for modification C:\Windows\system32\DRIVERS\npcap.sys NPFInstall.exe File opened for modification C:\Windows\system32\DRIVERS\SETDFE2.tmp NPFInstall.exe -
Manipulates Digital Signatures 1 TTPs 8 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
certutil.execertutil.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\Blob = 0300000001000000140000003ba63a6e4841355772debef9cdcf4d5af353a2972000000001000000350500003082053130820419a00302010202100aa125d6d6321b7e41e405da3697c215300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3136303130373132303030305a170d3331303130373132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd032ee4bcd8f7fdda9ba8299c539542857b6234ac40e07453351107dd0f97d4d687ee7b6a0f48db388e497bf63219098bf13bc57d3c3e17e08d66a140038f72e1e3beecca6f63259fe5f653fe09bebe34647061a557e0b277ec0a2f5a0e0de223f0eff7e95fbf3a3ba223e18ac11e4f099036d3b857c09d3ee5dc89a0b54e3a809716be0cf22100f75cf71724e0aaddf403a5cb751e1a17914c64d2423305dbcec3c606aac2f07ccfdf0ea47d988505efd666e56612729898451e682e74650fd942a2ca7e4753eba980f847f9f3114d6add5f264cb7b1e05d084197217f11706ef3dcdd64def0642fda2532a4f851dc41d3cafcfdaac10f5ddacace956ff930203010001a38201ce308201ca301d0603551d0e04160414f4b6e1201dfe29aed2e461a5b2a225b2c817356e301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f30120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070308307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c30500603551d20044930473038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c0701300d06092a864886f70d01010b05000382010100719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52 certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3\Blob = 030000000100000014000000e1d782a8e191beef6bca1691b5aab494a6249bf3200000000100000002050000308204fe308203e6a00302010202100d424ae0be3a88ff604021ce1400f0dd300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e67204341301e170d3231303130313030303030305a170d3331303130363030303030305a3048310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3120301e0603550403131744696769436572742054696d657374616d70203230323130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2e6618467c58af50d08a445ca636b51d73a1142bd0a75754d94b40c50b52610fe1dc86f916b0c96e71a5c48ef44e5bf9b61cd1591625ab8ff670b9c63fd366a81fa29f8dd2b7085de0218f3786dbc7df9c76d093dbe6a7687e98abdf8845d1e76c9e4c676763a53d1d1d35a368fc6a3e12f1b3ab761d673ec4e6d338a7c5d452d4bb150e6413a375686dc93238df75025e864e6ddd38f2f57b58720eb0e8e2cd523daf44d7846e3038331294a5c0c318a4a8c88c5f7305af914af155f6c434909fd262353f68d63e81aab5bb11d30c29b6982b4dbfc5654bc1fa187abbe7a5b0a202f4b09c995a78db2fad6638b4ea5721cee9f7a0173f819d6fe0d4984bd010203010001a38201b8308201b4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830410603551d20043a3038303606096086480186fd6c07013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053301f0603551d23041830168014f4b6e1201dfe29aed2e461a5b2a225b2c817356e301d0603551d0e041604143644868ea4bab066bebc282d1d4436dde36a7abc30710603551d1f046a30683032a030a02e862c687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c3032a030a02e862c687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c30818506082b0601050507010104793077302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304f06082b060105050730028643687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572745348413241737375726564494454696d657374616d70696e6743412e637274300d06092a864886f70d01010b05000382010100481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C0D087ECDCC76D1084ABE00F1FEE5040400AE37\Blob = 0300000001000000140000003c0d087ecdcc76d1084abe00f1fee5040400ae372000000001000000c6050000308205c2308204aaa00302010202100aa60783ebb5076ebc2d12da9b04c290300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3231303530353030303030305a170d3234303631303233353935395a3081d2311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a6ec814ee2c7075e2e29ac7ebd10b6188055929370a213b83fb6e337d82ed0756d15e267f6bc645e6db5bb1d586ef1098ead1595147d03897af04b666aa5a50def2b3af23974896c6fb4f5246baf3ec374dbfd90eeec7575ffb11a6efea7a0d7da0adb04eaf000b1ad520d9e9529b2a8cf420998d4c7a46c1f95e405e35f69ad8c05d62df0f9745017a6284134afba26f905d900da1c412200e6ca5c6b148f3f785aa0ebe35ea9160644bd6924b54625eb404ab39db981f6b216b6dd960930a1443b26aab08cdbcf1c5fd74dbb56c3e9df791f8429401dee5869e90c39f95000fc616b5ac8396b588e24407235ea074328c608112f6cb4f07347cd4d28d28ab90203010001a38201f7308201f3301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e04160414c5b210483c7598f90d32838cd0763d3cd85fef5130350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304a0603551d2004433041303606096086480186fd6c03023029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008b2182887ada0e08e4afe89019ded16e88ff6ff1b12fd9b2994b945b8c76c63862ae35a1751672c474c8575a039250105e346bb7ce7ae1f2494e760de418b9453f1bbac9255b0dccafd296adb3cdb49d46d54c3413bfc34a3e640e244da7b1e1dbd1b04cea414ff64fe57f0ef28944a42e41065548e4834f2b05d4aae8516a1f154c5b09af25fe059a69a7dc75a7deb4cf3068c402614ece0509edf02b0968b5c8d1081cdafcfba3b7c1599256e6685ef7391f46746eaf829bc8fd40f55be70a3fc51142648b78a903e750158328cb80d54aaddce82df8fe983b0e36af4dafbdbdffe8896bee9a93c370e77f735fe9c42fc2259a3e5672e9f75f37ecf7104e53 certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9\Blob = 0300000001000000140000004ce89794fe2d2f7e30121f10bcf76ac3ccf77ca92000000001000000c7050000308205c3308204aba003020102021009256314069e7e6a88cb823075c0d9c9300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3230303530313030303030305a170d3231303530373132303030305a3081d231133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a88cd713346c50a5cd2a62900419f091330f9820b73b38785a8b5a25ceda8e11b71b2d11ff4b0c18cad405a2a195a6462619fa3ddf6d14466a350d1cf1c6ad48cce166fe6011a62ee62751046dd264b1cc145c4a4354537cec1ae615b6b8566a28ddf3b510fee92023dbe4190b44bb4174f94c4ec62256bd4aa5ba541ee833388db8cc411365e094ee6314eaff59ca6659bb6388300e7ffbd0f8b299889b8e3ea526f8ca926ded79eac89a6b068757ae428022e2602ec98babf5998216b0c28a709129a1300872878d9971e3130826a7d1ce894fe649a017003f07ee3c53ca0cba998fab097e573723fbd3e0ea1b742dd6d076b4c2284b93500021a7d27109630203010001a38201f8308201f4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604140a9c208099309acdddf9c9909a03890dcd30c8ea30350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010042368fc33025a2a1338cf35a08d00e263958f825e79b6d3af23e0e4e4cf59bc8502022d452cbba14a53274e3a12a5b01f4aee16abfcb1b28d63484a0ae1995c9759c6f0970254da8902fb479f5f7869a566aa285f2c28e50096dfd2e14a9ecf0000963c570d2338def108dfe66b1e44d22182826749871a7f3977eba4976910f1f0de866fc75b918c1a9f466fcf96ae90df932071b9c770f0f3193f8ca500abe52cc316549403a5ca5b5422d1ebffffc3cbe3b926de552f493b53c6570fdd0736550f080c2db204b03bc00ff724241581b5dfb0dff7b8f2cc28f136c19cca8bd4b3c3d81404e69f4598e7b5458e41c6f2e6622a212d28c2615565782a1f66987 certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3\Blob = 03000000010000001400000060ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e32000000001000000c0060000308206bc308205a4a003020102021003f1b4e15f3a82f1149678b3d7d8475c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3132303431383132303030305a170d3237303431383132303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e672043412028534841322930820122300d06092a864886f70d01010105000382010f003082010a0282010100a753fa0fb2b513f164cf8480fcae8035d1b6d7c7a32cac1a2cacf184ac3a35123a9291ba57e4c4c9f32fa8483cb7d66edc9722ba517961af432f0db79bb44931ae44583ea4a196a7874f237ec36c652490553ea1ca237cc542e9c47a62459b7dde6374cb9e6325f8849a9aad454fae7d1fc813cb759bc9e1e18af80b0c98f4ca3ed045aa7a1ea558933634be2b2e2b315866b432109f9df052a1efe83ed376f2405adcfa6a3d1b4bad76b08c5cee36ba83ea30a84cdef10b2a584188ae0089ab03d11682202276eb5e54381262e1d27024dbed1f70d26409802de2b69dce1ff2bb21f36cdbd8b3197b8a509fefec360a5c9ab74ad308a03979fdddbf3d3a09250203010001a38203583082035430120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307f06082b0601050507010104733071302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304906082b06010505073002863d687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63727430818f0603551d1f0481873081843040a03ea03c863a687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c3040a03ea03c863a687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0302308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e301d0603551d0e041604148fe87ef06d326a000523c770976a3a90ff6bead4301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d01010b0500038201010019334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480 certutil.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exevc_redist.x64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation vc_redist.x64.exe -
Executes dropped EXE 18 IoCs
Processes:
Wireshark-4.2.5-x64.exevc_redist.x64.exevc_redist.x64.exeVC_redist.x64.exenpcap-1.78.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeWireshark.exeetwdump.exeetwdump.exedumpcap.exedumpcap.exeetwdump.exedumpcap.exedumpcap.exedumpcap.exepid process 4496 Wireshark-4.2.5-x64.exe 3472 vc_redist.x64.exe 5084 vc_redist.x64.exe 4960 VC_redist.x64.exe 3856 npcap-1.78.exe 5072 NPFInstall.exe 908 NPFInstall.exe 5116 NPFInstall.exe 1816 NPFInstall.exe 5436 Wireshark.exe 5540 etwdump.exe 5600 etwdump.exe 5660 dumpcap.exe 5716 dumpcap.exe 5768 etwdump.exe 5828 dumpcap.exe 6048 dumpcap.exe 6100 dumpcap.exe -
Loads dropped DLL 64 IoCs
Processes:
Wireshark-4.2.5-x64.exevc_redist.x64.exeVC_redist.x64.exenpcap-1.78.exeWireshark.exepid process 4496 Wireshark-4.2.5-x64.exe 4496 Wireshark-4.2.5-x64.exe 4496 Wireshark-4.2.5-x64.exe 4496 Wireshark-4.2.5-x64.exe 4496 Wireshark-4.2.5-x64.exe 4496 Wireshark-4.2.5-x64.exe 4496 Wireshark-4.2.5-x64.exe 4496 Wireshark-4.2.5-x64.exe 5084 vc_redist.x64.exe 4256 VC_redist.x64.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 3856 npcap-1.78.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe 5436 Wireshark.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
VC_redist.x64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in System32 directory 64 IoCs
Processes:
msiexec.exenpcap-1.78.exeDrvInst.exeNPFInstall.exedescription ioc process File created C:\Windows\system32\msvcp140_2.dll msiexec.exe File created C:\Windows\SysWOW64\Npcap\wpcap.dll npcap-1.78.exe File created C:\Windows\system32\Npcap\Packet.dll npcap-1.78.exe File created C:\Windows\System32\DriverStore\Temp\{0b075c4e-bd4f-e541-aec0-85c52057167e}\SETDCA8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0b075c4e-bd4f-e541-aec0-85c52057167e}\npcap.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF NPFInstall.exe File opened for modification C:\Windows\system32\msvcp140_1.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140ita.dll msiexec.exe File created C:\Windows\system32\mfc140esn.dll msiexec.exe File created C:\Windows\system32\mfc140fra.dll msiexec.exe File created C:\Windows\system32\Npcap\wpcap.dll npcap-1.78.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0b075c4e-bd4f-e541-aec0-85c52057167e}\SETDC97.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_8bd33bba90c49bc9\npcap.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_8bd33bba90c49bc9\NPCAP.inf DrvInst.exe File opened for modification C:\Windows\system32\mfc140cht.dll msiexec.exe File created C:\Windows\system32\mfc140enu.dll msiexec.exe File created C:\Windows\system32\mfc140kor.dll msiexec.exe File created C:\Windows\system32\mfc140u.dll msiexec.exe File created C:\Windows\SysWOW64\Npcap\Packet.dll npcap-1.78.exe File created C:\Windows\SysWOW64\Npcap\WlanHelper.exe npcap-1.78.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0b075c4e-bd4f-e541-aec0-85c52057167e}\SETDCA8.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF NPFInstall.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF NPFInstall.exe File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\system32\vcamp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_8bd33bba90c49bc9\npcap.sys DrvInst.exe File created C:\Windows\system32\mfc140deu.dll msiexec.exe File created C:\Windows\system32\msvcp140_1.dll msiexec.exe File created C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140fra.dll msiexec.exe File created C:\Windows\system32\mfcm140u.dll msiexec.exe File created C:\Windows\system32\Npcap\NpcapHelper.exe npcap-1.78.exe File created C:\Windows\System32\DriverStore\Temp\{0b075c4e-bd4f-e541-aec0-85c52057167e}\SETDC67.tmp DrvInst.exe File opened for modification C:\Windows\system32\concrt140.dll msiexec.exe File created C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_8bd33bba90c49bc9\npcap.PNF NPFInstall.exe File opened for modification C:\Windows\system32\mfc140u.dll msiexec.exe File created C:\Windows\system32\mfc140rus.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0b075c4e-bd4f-e541-aec0-85c52057167e}\npcap.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0b075c4e-bd4f-e541-aec0-85c52057167e} DrvInst.exe File created C:\Windows\system32\concrt140.dll msiexec.exe File created C:\Windows\system32\vcomp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140u.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140chs.dll msiexec.exe File created C:\Windows\system32\mfc140.dll msiexec.exe File created C:\Windows\system32\mfc140chs.dll msiexec.exe File created C:\Windows\system32\Npcap\WlanHelper.exe npcap-1.78.exe File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF NPFInstall.exe File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF NPFInstall.exe File opened for modification C:\Windows\system32\msvcp140_2.dll msiexec.exe File created C:\Windows\system32\vccorlib140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140jpn.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140rus.dll msiexec.exe File created C:\Windows\system32\mfcm140.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0b075c4e-bd4f-e541-aec0-85c52057167e}\NPCAP.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF NPFInstall.exe File opened for modification C:\Windows\system32\vcruntime140.dll msiexec.exe File created C:\Windows\system32\mfc140cht.dll msiexec.exe File opened for modification C:\Windows\system32\vcamp140.dll msiexec.exe File created C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\system32\vcruntime140_1.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140.dll msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exedescription pid process target process PID 916 set thread context of 2552 916 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Wireshark-4.2.5-x64.exedescription ioc process File created C:\Program Files\Wireshark\Wireshark User's Guide\ChWorkBuildDisplayFilterSection.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-view-menu.png Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\MTA-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChAdvShowPacketBytes.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChStatHPFEEDS.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-pref-protocols.png Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-tools-menu.png Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.lucent Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\MPLS-LSR-EXT-STD-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\T11-FC-ZONE-SERVER-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\APM-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-mate-dns_pane.png Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.3com Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.actelis Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.waverider Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\translations\qt_tr.qm Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\DOT3-EPON-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\IFCP-MGMT-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\IPOA-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\SNMP-SSH-TM-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\WinSparkle.dll Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\dtds\itunes.dtd Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\dtds\pocsettings.dtd Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\ietf-key-chain.yang Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-file-menu.png Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\diameter\Starent.xml Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.aruba Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\FRAME-RELAY-DTE-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.utstarcom Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\MPLS-OAM-ID-STD-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChTelSCTP.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChapterAdvanced.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\toolbar\x-capture-file-save.png Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\pcre2-8.dll Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.motorola Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.rfc6911 Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\SNMPv2-SMI Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\FEEDBACK-FRAMEWORK-PIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\COPYING.txt Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\IPFIX-SELECTOR-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\RADIUS-AUTH-CLIENT-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\NOTIFICATION-LOG-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-main.png Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.bintec Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\plugins\4.2\epan\opcua.dll Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\MIDCOM-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChTelRTSP.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\IPV6-TC Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\RFC1414-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChBuildInstallUnixInstallBins.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.juniper Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\SNA-SDLC-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChAdvNameResolutionSection.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChTelISUPMessages.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChWorkIgnorePacketSection.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChWorkTimeFormatsSection.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-export-selected.png Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\pdml2html.xsl Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\sharkd.exe Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\AppMessagesDetails.html Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-pref-appearance-fonts-and-colors.png Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\multimedia\windowsmediaplugin.dll Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\FCIP-MGMT-MIB Wireshark-4.2.5-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\SONET-MIB Wireshark-4.2.5-x64.exe -
Drops file in Windows directory 21 IoCs
Processes:
msiexec.exeDrvInst.exeNPFInstall.exesvchost.exedescription ioc process File opened for modification C:\Windows\Installer\e5a9271.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9ABD.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{0025DD72-A959-45B5-A0A3-7EFEB15A8050} msiexec.exe File opened for modification C:\Windows\Installer\MSI9C06.tmp msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\e5a925e.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\INF\oem3.PNF NPFInstall.exe File created C:\Windows\Installer\SourceHash{D5D19E2F-7189-42FE-8103-92CD1FA457C2} msiexec.exe File created C:\Windows\Installer\e5a9270.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log NPFInstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\Installer\e5a925e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI94BF.tmp msiexec.exe File created C:\Windows\Installer\e5a9286.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI96E3.tmp msiexec.exe File created C:\Windows\Installer\e5a9271.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 43 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exeDrvInst.exeNPFInstall.exevssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe -
Checks processor information in registry 2 TTPs 42 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dumpcap.exedumpcap.exeWireshark.exedumpcap.exedumpcap.exedumpcap.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Wireshark.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Wireshark.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Wireshark.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 dumpcap.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dumpcap.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dumpcap.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Wireshark.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Wireshark.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Wireshark.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 dumpcap.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Wireshark.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dumpcap.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 dumpcap.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString dumpcap.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 61 IoCs
Processes:
DrvInst.exemsiexec.exechrome.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643123669229888" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exeVC_redist.x64.exeWireshark-4.2.5-x64.exeVC_redist.x64.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Version = "237272852" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell Wireshark-4.2.5-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mplog Wireshark-4.2.5-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.syc Wireshark-4.2.5-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\\packages\\vcRuntimeMinimum_amd64\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7} VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.36.32532" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.erf\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\DefaultIcon\ = "\"C:\\Program Files\\Wireshark\\Wireshark.exe\",1" Wireshark-4.2.5-x64.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.erf Wireshark-4.2.5-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\VC_Runtime_Minimum msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ipfix\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.syc\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5vw Wireshark-4.2.5-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.atc Wireshark-4.2.5-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.enc Wireshark-4.2.5-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fdc\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tpc\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lcap\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\\packages\\vcRuntimeMinimum_amd64\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\PackageCode = "1BE5B2DDE80EDC54D874D240756DB43A" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5vw\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pcapng\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7} VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\ = "Wireshark capture file" Wireshark-4.2.5-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open Wireshark-4.2.5-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tr1 Wireshark-4.2.5-x64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pkt Wireshark-4.2.5-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.trc Wireshark-4.2.5-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7} VC_redist.x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Version = "237272852" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mplog\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wpc\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tpc Wireshark-4.2.5-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\VC_Runtime_Additional msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pcap\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open\command Wireshark-4.2.5-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pklg\ = "wireshark-capture-file" Wireshark-4.2.5-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pklg Wireshark-4.2.5-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Version = "14.36.32532.0" VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Dependents VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{D5D19E2F-7189-42FE-8103-92CD1FA457C2}" msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Wireshark.exepid process 5436 Wireshark.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
chrome.exechrome.exemsiexec.exeNPFInstall.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1100 chrome.exe 1100 chrome.exe 644 chrome.exe 644 chrome.exe 1276 msiexec.exe 1276 msiexec.exe 1276 msiexec.exe 1276 msiexec.exe 1276 msiexec.exe 1276 msiexec.exe 1276 msiexec.exe 1276 msiexec.exe 5072 NPFInstall.exe 5072 NPFInstall.exe 4420 powershell.exe 4420 powershell.exe 4420 powershell.exe 1188 powershell.exe 1188 powershell.exe 1188 powershell.exe 3696 powershell.exe 3696 powershell.exe 3696 powershell.exe 4980 powershell.exe 4980 powershell.exe 4980 powershell.exe 2544 powershell.exe 2544 powershell.exe 2544 powershell.exe 3796 powershell.exe 3796 powershell.exe 3796 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Wireshark-4.2.5-x64.exeWireshark.exepid process 4496 Wireshark-4.2.5-x64.exe 5436 Wireshark.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid process 660 660 660 660 660 660 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
chrome.exepid process 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exechrome.exedescription pid process Token: SeImpersonatePrivilege 2552 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe Token: SeTcbPrivilege 2552 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2552 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2552 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe Token: SeBackupPrivilege 2552 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe Token: SeRestorePrivilege 2552 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2552 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2552 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe Token: SeShutdownPrivilege 1100 chrome.exe Token: SeCreatePagefilePrivilege 1100 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid process 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe 1100 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exechrome.exedescription pid process target process PID 916 wrote to memory of 2552 916 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe PID 916 wrote to memory of 2552 916 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe PID 916 wrote to memory of 2552 916 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe PID 916 wrote to memory of 2552 916 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe PID 916 wrote to memory of 2552 916 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe PID 916 wrote to memory of 2552 916 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe PID 916 wrote to memory of 2552 916 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe PID 916 wrote to memory of 2552 916 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe PID 1100 wrote to memory of 464 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 464 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2112 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 1488 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 1488 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe PID 1100 wrote to memory of 2092 1100 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_win_path 1 IoCs
Processes:
1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\abcd.bat" "C:\Users\Admin\AppData\Local\Temp\1b51840b9af837bd65732bcc6300740e_JaffaCakes118.exe" "3⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffdd4beab58,0x7ffdd4beab68,0x7ffdd4beab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1744 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2820 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2828 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4248 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4392 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4124 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4780 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3392 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2912 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2300 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4156 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5020 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5332 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5584 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5356 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1896 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5792 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5612 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1932,i,10492769813007929950,11177186855229562608,131072 /prefetch:82⤵
-
C:\Users\Admin\Downloads\Wireshark-4.2.5-x64.exe"C:\Users\Admin\Downloads\Wireshark-4.2.5-x64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files\Wireshark\vc_redist.x64.exe"C:\Program Files\Wireshark\vc_redist.x64.exe" /install /quiet /norestart3⤵
- Executes dropped EXE
-
C:\Windows\Temp\{E316BDDD-47AB-4793-8822-CD5F46DB5E7F}\.cr\vc_redist.x64.exe"C:\Windows\Temp\{E316BDDD-47AB-4793-8822-CD5F46DB5E7F}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\Wireshark\vc_redist.x64.exe" -burn.filehandle.attached=548 -burn.filehandle.self=516 /install /quiet /norestart4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Temp\{1E2437AD-7FD9-4420-BA45-6B558ED6DBA0}\.be\VC_redist.x64.exe"C:\Windows\Temp\{1E2437AD-7FD9-4420-BA45-6B558ED6DBA0}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{515F5505-3187-4E36-9CBC-E9DE6A2DCD3F} {828061CF-A6AB-408A-89C0-892E0763E777} 50845⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1080 -burn.embedded BurnPipe.{4923A4F9-687A-42F9-B837-F2C574EF549A} {8A46141F-C5B2-4D41-ACB4-47277FF42BB6} 49606⤵
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1080 -burn.embedded BurnPipe.{4923A4F9-687A-42F9-B837-F2C574EF549A} {8A46141F-C5B2-4D41-ACB4-47277FF42BB6} 49607⤵
- Loads dropped DLL
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{F796631B-CC33-418D-B5A3-C26B9FEDD8A7} {ECC3B0D6-352E-4F27-ADEC-82827F739E37} 42568⤵
- Modifies registry class
-
C:\Program Files\Wireshark\npcap-1.78.exe"C:\Program Files\Wireshark\npcap-1.78.exe" /winpcap_mode=no /loopback_support=no3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\NPFInstall.exe"C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\NPFInstall.exe" -n -check_dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43){certutil.exe -verifystore 'Root' '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43}}"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -verifystore Root 0563b8630d62d75abbc8ab1e4bdfb5a899b24d435⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\certutil.execertutil.exe -verifystore "Root" "0563b8630d62d75abbc8ab1e4bdfb5a899b24d43"4⤵
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25){certutil.exe -verifystore 'Root' '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25}}"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -verifystore Root 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc255⤵
-
C:\Windows\SysWOW64\certutil.execertutil.exe -verifystore "Root" "5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25"4⤵
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst"4⤵
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\signing.p7b"4⤵
- Manipulates Digital Signatures
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -c4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\pnputil.exepnputil.exe -e5⤵
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -iw4⤵
- Executes dropped EXE
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -i4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{64021aa7-69ef-864a-a26b-99f1ac94ea85}\NPCAP.inf" "9" "405306be3" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Npcap"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Program Files\Wireshark\Wireshark.exe"C:\Program Files\Wireshark\Wireshark.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files\Wireshark\extcap\etwdump.exe"C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-interfaces --extcap-version=4.22⤵
- Executes dropped EXE
-
C:\Program Files\Wireshark\extcap\etwdump.exe"C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-config --extcap-interface etwdump2⤵
- Executes dropped EXE
-
C:\Program Files\Wireshark\dumpcap.exe"C:\Program Files\Wireshark\dumpcap.exe" -D -Z none2⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Program Files\Wireshark\dumpcap.exe"C:\Program Files\Wireshark\dumpcap.exe" -i \Device\NPF_Loopback -L --list-time-stamp-types -Z none2⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Program Files\Wireshark\extcap\etwdump.exe"C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-dlts --extcap-interface etwdump2⤵
- Executes dropped EXE
-
C:\Program Files\Wireshark\dumpcap.exe"C:\Program Files\Wireshark\dumpcap.exe" -S -Z 5436.dummy2⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Program Files\Wireshark\dumpcap.exe"C:\Program Files\Wireshark\dumpcap.exe" -n -i \Device\NPF_Loopback -Z 54362⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Program Files\Wireshark\dumpcap.exe"C:\Program Files\Wireshark\dumpcap.exe" -S -Z 5436.dummy2⤵
- Executes dropped EXE
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5a9263.rbsFilesize
19KB
MD5fba12a360b0979edcc6d5c7033caa4e5
SHA12a731d8fe1414c8c23847c82a0ec8ca98b84fa5a
SHA256663155a1bf8f50681887599e9a058bb3fc64412c3d3f28af9124f4d82a671842
SHA51230d23faf8129ed21419182030eb6e8c9428b60993101260173296999609dc9e0e4e7cdfbca83f6757cc24a3de9e557591284709ad11714c110f2c0e6cb529f55
-
C:\Config.Msi\e5a926f.rbsFilesize
19KB
MD5f26f5e62bce99016d2b86ea7eb4c8482
SHA163672157b97f6f0428f83e2e4b7b259584c04041
SHA256799101b749cd02bf53290af706d967a85a77d304dfbc4cebd87f86bfc1957e9c
SHA5123713246103241f215f46b25d2345c032f6c46b7aaa29880af8938a28e6c2acb4de9776ed511672866c0dc67bc184ff9ea6f15efe00089f0ca497101c95d72e0d
-
C:\Config.Msi\e5a9276.rbsFilesize
21KB
MD58ea6f9064322058e29aacb7c825adb43
SHA1e51a89852129c30c377de03137020097d4dc74d2
SHA256ef8b81c05c8805179ee436e029a0581efb5e236250bd893660e48494803e45d5
SHA512ac29afc9890b421e4da336a453828c9b36ca8976fbc1b819b1848026068a3090b150105fe9dfd6db102be9edece11d6002cfba0d9ffc8aa0bc6d2778af3190ca
-
C:\Config.Msi\e5a9285.rbsFilesize
21KB
MD5cad9f4f712afe14997acada5190f0a70
SHA1c52f4ee95c088ddf6d5ea487b5f7f814b40e345f
SHA2563b04f7cafdcb9b9c4346c7405a93aac4f38ad4db7eb01ea0c449de5d1c574471
SHA512c5850a4d480a24a2d432ae09d5475fd28a8d9975e9979b9c2c68a8f452a4b68689f137ec04acb813d1191011a77b98c378ed12a4f168999b74802a5f04ae4bd6
-
C:\Program Files\Npcap\NPFInstall.logFilesize
790B
MD5a64a8bf37cf161f1095c6c58c9f28c73
SHA166c0de489c00deaefe8d2177780568988777c9ce
SHA256f928d1451f3d90d4f2a244961c3fc6bf6f3c2954b8735d596b134b2a3adee5d4
SHA512b024ba4923ddebff2ec6f6dfb2d8f2c5308a72a57c1d4d502c286ad74237205246b73289901bd846bb3ac7c51e3633f77fc922d77f420763f07318eb22c9e567
-
C:\Program Files\Npcap\NPFInstall.logFilesize
1KB
MD5448b50c781f574022e647944d71a3fae
SHA1800ded7141eb2acf7dca32b62f7ea6158b8533a8
SHA256a666cf812da3b19b83060d238bc2744474592afabf755979e5e43b26f43f285e
SHA512cae4cc49d30c99d3dff615e184cff3e37f1a27acd2b0ded793d8ff64216145422fa856c7779b591c9f5a26338539b9a1ad6d67ce23bca2f853a981e7508b739e
-
C:\Program Files\Npcap\NPFInstall.logFilesize
3KB
MD53d6a29be2a724423b6e34e01a2a8b881
SHA148146742a523f184e5c603ec340d734ab8cfbc2f
SHA256ce5483b6e244ea4869b82dd67fa2b42ea1c796ee64c34af8932bc5590774f5d2
SHA5126d23b87ceab455b7400d1292b093f289dcff820745e83a9a68a09494b3bbd9705573e810afcc7fb2a2aa519859fdde5b9c8176df35c6e6986d9b31fc0c9e4dae
-
C:\Program Files\Npcap\NPFInstall.logFilesize
4KB
MD5226eaae404044f50a0066f35b7fd9b83
SHA11d4a4d15d94a14888f0cb4c739eff8b92b4bf19a
SHA256af5f0a8373889cd9894c96235dc6ec6bb8609f27b5b99ef90fc734a54f6dcdb8
SHA5124872e766dfb118a2ab9c543e20ddd65b0f22c872da8c747eef66cca6c0483f72079be5ff37ef36ab27627e0fc113d9dfa826f6f052ccb72001fe13e6623a3599
-
C:\Program Files\Wireshark\Wireshark.exeFilesize
9.2MB
MD5c122bd9e7b543d91715efee2bb840d46
SHA1c93acabcb0c83d402c3f055d1299c73fe2741f5c
SHA2567f1be9e3c1ded9704f4f2b7a580d96666d2182191f800eb5139c346bc41fb0b8
SHA512ed09ce5c8bd001407ddec2dcbdb4e37ea3f234143942a3582b500404888012bcef2cfc224ec8273db0a5a2d0cc379d48b4955e1ce1b9b22d3a8229860a7f430c
-
C:\Program Files\Wireshark\npcap-1.78.exeFilesize
1.1MB
MD51b7dfff4e1f16785d5e800c193301bd7
SHA1e1ee172ee36999daa3cfb2a0406fd8950038cefe
SHA256deeb39ae22a44ea2698c4a58732e621bc45b84686a444c405491fef946898d90
SHA51271f8affed3e51b00c85039f211218c5eee66b724bd674bdd4b1c609cff3c440a4ab6ee0c6fa7bc8de39dac5a65f7c7c04a8dcae3baf52c091c512f293ec86920
-
C:\Program Files\Wireshark\vc_redist.x64.exeFilesize
24.2MB
MD5077f0abdc2a3881d5c6c774af821f787
SHA1c483f66c48ba83e99c764d957729789317b09c6b
SHA256917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
SHA51270a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\31c0e295-b467-4418-9978-31d5adcc0f32.tmpFilesize
7KB
MD5a7b790bc6a83513e1433a6b30bbe873f
SHA13f7c470e93bf3b8779431e1e3dc16a75d6e274ac
SHA2563295c00b8a0b6d03409d9cb2f2a0ee4b01eae60ba05a29e2d32e30c008c9f24b
SHA51270c045373013ff1f9418aba6955763b1fdbf1bdaa7eac91e67abac53dfb4bf8da677726fb5e97b3e908b01b9e68dca5740abf7f1ca516ab7e570950dccf14c07
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000053Filesize
47KB
MD51af625b5988f4098155457b42c9e7604
SHA1f101a2737ad079176c92bc2684f8961b074ad710
SHA25644d44ea3935d534f44d0e33117954cadb08b712269e12e10093755e3d4885014
SHA512b81654c38578ee6acb3ef12ced4fb5edaeb698add94d68a6745db933582494170ac6a048022eeb2dd734372232673f7ed50102fc8fc3094e3804110b20172d39
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000058Filesize
19KB
MD50e598b4e0838f1540edaaa0ebf6d1e68
SHA1a69cc56bc59a19d8e0da1b74db64b0f6c319e095
SHA2564ed8eeb9c3e8abd8a3ae9a6e4a0da56d3bb513938555795256d73cbd578bbe17
SHA5124a00bd10f567a45b9a3332a50803002f4a089bc38b065657e2a921d505c0a10c4275add2d6c9b4c3ea6a5ba87ccff47140aad0222bef3fceac331de97cb1f273
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000059Filesize
32KB
MD5fe0cb11576905a924b316b72b715c2e3
SHA131a833346d235602a4fc51b49ef9bf57d9d1409f
SHA256ee9fdfd767036158d8d3bc22f6c3095c5bfa6c17d4611eaacd45a5a829a864b9
SHA5120227816287e01021bc07b84db89642ed0cc5e1c3a653a8be2c38bc53dcb17cd62b1a45051cf143ba9c2a5880df961d281192547fbb0788d95659ec5169e98ac4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD583a097c23228f3e08d04f8f5c554a142
SHA1c34b12cb2b366c974b291c47be3be402a7dcba56
SHA25658a65244383c29b447c5dbeda16e0b9df709d206a007b279feb2f7b0955c4cee
SHA51227f38c391d1aabb682f63c5737798d4b9b705ba5a8808feb9caed696a353d695e13591f49507cf04bcc0bcd0846e291e8ab4a91c2bcd671a1845d645db221475
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD520588fc78967683cc3113034525c097a
SHA17291a0cf694c3ff854887fdfc1507660034c11a6
SHA256ebfb8a16d65bad5453d413a2dff52b2184a113614d0e5fc71f277599869c958d
SHA512604eb3ab37aace46890a522f6ba0c16f6fc5bda9a12d55b8ba1d791fc19921da51fe068ecae3510dff799e400bd92900f77648a2fc55ac2f6800ed6903d01fed
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
5KB
MD575e08fa64592721bb1868ac5d4574aa0
SHA1cd6b3e79a3aeafd42860a031191832fa8f973610
SHA256c4b7976f02ed810a3a68e4c7149ba1f6943aba55d46f7eea2418043662c4eb4d
SHA5122e7dd370ea0c8382726f098947773cad7fb40556e56adbf5fe95dcfb8a4b3ace3198a0930e46842412e6226f24f19a719fb42a5a31648f6b97091d049a5462e3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD58de6d2c5479eef10219fe0c4f16ae109
SHA1c2686a201e6c14f7a562527d28c93e815e5ce74d
SHA2566e283e0982571fb14d9ce0222f49527243fe26f436045014f70f79a380f1fa96
SHA512082b3e0bbc85cf8d6d057a13c422739f63574d188e41b7ee0b7fac55edf19dffb7c4bae9aca5ee043140d8656dc562a71a904685552e82bbf0c7d2f97bda5de0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD5a0a0aa088d30553b180b6fd620a8c03e
SHA1e6a73a2a643bf1b3ea1cb91f3bb57f8429d44eb5
SHA2560d19647a01e9179791e0de921617ec7e69bd6707e2aec04c5c2bf89738e1a0a9
SHA512911e564f242a9766c464e25ba3f5979ecdbfdf85354f6050f7cab969a94dc6c255d3571ffb57350ca787b991473bb6c0f673b1e966fd486af15fdfb8cf59a710
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5683d711aed339fadedb5de89324e54af
SHA1afac2609304a8729771c433652c678ff0dab95e2
SHA256db099cd2719aaf9a4f5349181a51eec172f4d93be01005e8a767259ba09debb8
SHA512de558b81b1762d3485595629a2bc947b01dccf1b948cf3ee4ce2e636324a384b6b3b3e56631a949103897b6a9cd9510d9591452671b1000f4de5eda8ecb26454
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD54c91ebb599a620d9111471e7402429fc
SHA1d9ac3e270ff736dbb9052fe5ab26728bca6e02b0
SHA25645095c38208fd17aeba70e8bdc39104c5b4eb21d7c4aa3f4a4267ceabd0afc04
SHA512c1e0a6f1fa80ad60aba2947ed9d009ec34aac6c91ad869a1082ee54acaa972d07390895d2b6e30482dd7ec3e2cda751f3d1820f5d0a404c1b034150f84f75e3b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
692B
MD533b58a77f13fe7253e016df0c2de93c0
SHA146239c594d2cf1bc46d922849746a285ae871f19
SHA2564b11b26f0c0229baf37f9ba9feaeae5c73c442c43feec451da5bbd1f0b4512c6
SHA512a31ee5b9ae754b13ceae905e42bef7fa673ceea663c35b03fc5fd4d630c73c64c2ec425e30869a37e9f47f6f07eb5e21263a0b7137df448c3530825289ad01a3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
860B
MD53e56e9708bd833b0ae5803e554488f16
SHA131c8b178f1339ddc94a9424c67c2ced56315502d
SHA256e9b21a1c45f807fd607a035b1f89ed61388a49baa45052e625f85957a99c9304
SHA512db80c6287582d6d8edd4ffb9e1cd274e248abfe7d274984c873d5dde65a842d5efb05262276153f3fe2c8c539e2312160c68bd15880b11d00a7b655e59350bbf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5f230b5e09570f29f65a1814b0822ff59
SHA1aa8bf82fce5033a0c23706d52d4df1d01300b5d8
SHA256a13fa63b78fdf69f07e899b6f1e73d5891f9c2d7baeb18c532cb5cb511e5fcce
SHA51230f0dbd13e2c7716712154e45166cd53b73b8925f7ef86d2de49ac779a54aa8afbca5ccf46587d4e39cc67d31a0b54d7f3f9b52d54c3655ff2c2fa10e436e946
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD57173f6f04e9ad26a1ad60306e2d90e33
SHA175f6b7f47213c38436c1abfc42dc19c0fb304c48
SHA25604ee037c40a464671d0c5c2ce3f5b8a15431181694f02d72bdc99e20d4c00c30
SHA51236cbcd09cd38c8b3a3c3ff51f702528d8772fa68cf4bcd325848113b2bbcc435955f969721217a5bb212ffdc0ca6a76e1fb043ed3df5f899413e09e8529239a0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD525c03b0a0ad3dfeedb2dba154114a39b
SHA1629cfa8502d0f7cdec8659f891585adf888f72f6
SHA256698e17d55b2f8820d3d8c2112d3d992a20cf74a145b2bb4845b27ad6dcbd5e25
SHA512db6aff17857e074b49c86d227c825c0f55b1bb860707c79b99f2eab5117ea5e4d4f92c81752e7ea05b464aac5f09128b0b1fff424d3f331086f27287bc910ff7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5985df5bcbe006d310c5841cdd6ff3cc2
SHA1a5d2eb2269d7399582948d5f6947bcbdc2dfc98d
SHA25612ae3ebdbe4f88f8956943a1ca53665f24b5f423e1610408c897a2668b0d237d
SHA512cc3ea8965b7c4b2b9926f28713973f26606cb86d4eef6799be7f0533a9ad8d2704e26176ea0b7574c2aaf6b4c99462f29b7f3e40fcbc7660406c77e8b95b87bb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD59a9d118b61e4e87377516de8be5765d7
SHA1a05bdabd8cc67f55a78934040a38135fce2ea3b7
SHA256f0e29a3126abbb3f8b1a4be0c020b95a35019d8ec05481c73207761c93b0c8a7
SHA5127cada3748681bbd0660d443f64a9e0fdc2c15a55a3513dbd65294a05c8f5f0842b37908f9b2cc260a013409d225c0d84d368fc96f5f7af9d92926ec56cb9a1d7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5c8a5c0bae78ecc2dd532081416622472
SHA1f3f3e90da8098837221b5e99b7eee410af1ef395
SHA256371849f3d12a134052920e14c346b375b958b5617bb42c66c462f3e85eb84d91
SHA5129430b8e828e070e892de3b854e43f80eb405fa055125588e71593218b480cbfc017237f6af086d4cea6a5b5c34c27e1cd33e35ce93e4656f60d61750a5e7fd6f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD575ed26e2a6833c72ebb10b309797996c
SHA13d31307766283780a87879cbe769723f991da2db
SHA2564582e62b403ee48f2323c4bb76e5ec25114b42cc7cf17861dde1e652fabfd9a4
SHA512aa1f458a7df49f1e119a4129e08b834e8ab459b89a6976f3510bb9c69ae87a26a7261130067d91ec4b795a750f8b84f42cb21b0fb02b2d42db0a28392c415454
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
56B
MD594275bde03760c160b707ba8806ef545
SHA1aad8d87b0796de7baca00ab000b2b12a26427859
SHA256c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968
SHA5122aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
120B
MD58cdefad8c9ace4adbef00fbe6c4b9a70
SHA1cfc8f73bd3d6507e606c596971f3dd13a9a1a43a
SHA25615c29cd610480bdc5c8aed181c4ebd1dcd4ba8fdba1cb58675531e7b3f8af99f
SHA512a7c88bc1f8f60a0f2c90a4c28fdffeb16c18d420538dfdc6775c08a89c33940146483b0775f6ffba099ea6f5b120db2392232502b30b206c20669149c6ea33bf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe584419.TMPFilesize
120B
MD54a2f5fbd56e4e09107185b585afd8fe3
SHA1d4bf515dedca443ffbd0476abee33cab4d0b302d
SHA256fd002e50d7ba8aff480a929211258a69c1a5c47db94219e53907731dba0ddacd
SHA5124ee062d24d6f6ba2c7b7639d039b418667b728f8d8d91c184762557e2fec94da865042a1c14a8d0684fd7fef67b14aff47700502a6c13cb7edde1e21212e5e75
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD598962fe05ed80d6630ad59451a2efbeb
SHA124e6b5d6110601b34eb9e6352b6e33356aedb92a
SHA256d982925b4c27b702f4e227d6a2211f332ee4fa1b7be5643f6ad8a0708e394575
SHA5124519a3a40fd3dc904f67057edd13924c8e43803aa622faf1663357bc1bf16704d9d508df2a5256d92e116a8e11df3a7ba233ad86da78323cccbc9840a9d34ad0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588cca.TMPFilesize
48B
MD5fb146b8d17aebda523313dbec41997b8
SHA17466f6502944a9b37795b6b028f1309408158916
SHA2561a12b5356d6e3e51fee6ce3942a31775316111169c39d29e3a0dd5dc8be9351c
SHA512860c768201a37d9743288150fdd9986333b738eae70028f23577c9e25b6051f1b6ef13d821603851446e0ea86e7659bb552420ea3af09afc95f8f188a9617357
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
269KB
MD5013fca6dd1af0f628019c41c450b4a14
SHA100a6037a15968ed0b70141701b35f37bc8c9be24
SHA256127606546c854eb3b8f82abe43d06f106b44744e0af46932b80b0297a730f739
SHA512380a524135d559d2872f14899779eb5afcbfb560ce9145bac1bfcdc04eeda700b583ac3e295b63dea8fbd107b6d80d8122098d02677c1ded6c1ffbe9247a564d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
94KB
MD5805c991ed25f5acd35f8f7290f170522
SHA116924fbaed39c43e3534050cf9850b2c68b6836a
SHA256e285cf15e28f285fe2aac6a05b563f0c70a981c9eb7f9acdf2c96f2186911f6e
SHA5120cc356a826c47159c28f33b93c2329abbfa345f1f245cb2ec8a03981f20b5ae0f722fc5e652216d6ebe2ee8a8fe25f78dd2149bf4047bda357768ae75b4d0fa8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
96KB
MD52e1c13fd4a8076d066f1782f06496062
SHA14ed6bda9fe51710f841dd72291abe445587e70eb
SHA256161f37d5534bc7881faf4788975029a818dab4372efc82f1848e59cee56a204d
SHA5122801c0b2d532c97de15ea83bf756708f8682c34baa496a7ca42fa4d0af7700db0c801f8243ad1be8b8c59e95887c813756c4e1c7ef622e4e4a6e97edece60674
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
88KB
MD561ea61aa1b78fe19e59864b9e1bb77c4
SHA150c31a82a5f38fa37fe06e8e7d4b596e511ccb76
SHA2561d4b983195c7741471261d062315fbb65d8192c26780b64ca84584c472024176
SHA512def88d592c78abbcace3d073fba410cd6d84210216c23ee9cec1ebe7e90871ccfb3c74918c259aefa2b0c5505975de86b2fb98ae839d3796d839792fa946478b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
104KB
MD59ffffd80ad8c242f69e3c9fd0b2da39a
SHA194defb1f2f8ddbf60bd022561006ca9301fb6eea
SHA256bad88216c2cf51e4b15d34be3fa4af35855404585f1914d23af65cf08e82609f
SHA51215ac4eb72d953d27ec772c160ca86d131a5015d42d2544df36f480084c1cf72701abab02b7063a4daadc0718605c56ac7ad275987eefdc9850b7fb45c5a94627
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD52f330b8d0fa9694645097a75d1564f8b
SHA1e8f43d3d9d692908ee755d9c35039e466bcf6840
SHA2561c9a4691e4098de49cc1547e62fb12ded37a153417e58f6cd5cee6bb72549e51
SHA512eca9fa26a56ce06b3b1a03e3a43ab44c09f963a459f44af6136941956c8de40f25a49b0322c2e268a382ddffdbc62cbaf4b12a401308878b1c575aa78e7019df
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2mhkvn02.oqs.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240701130238_000_vcRuntimeMinimum_x64.logFilesize
3KB
MD547f4c088c074c96936ed5f72647f0efc
SHA11bacfebc5900b73224e7b074bd5599d6d86bface
SHA256859b6a5c71dcb1866cbf2027ca8b6f88c622e7393544182c295c1cb307d2a6c4
SHA512a46eb751a866fa5ba25119925a4f0427cda76563196f5a21452940ed8ba016e5bc9d7a621446583b1303727721129a41f25cbebc644066d6774a0b6eaf4bbcd0
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240701130238_001_vcRuntimeAdditional_x64.logFilesize
2KB
MD5975f2988539835ea188aad8259560909
SHA164c0700f4f6b73fbdfbd54f318d50792ee151206
SHA256310755eff6e842af062bc63730d6dd0379d8736b94194fd83f5c3ef78c9a5284
SHA512597b7b54072942669e4f5c3707f6b7d363402e6606b240ed6917625f346206b0ef2c51bde36c1c83b74162ceb84b9d1f426a5132574974f65e5399afcd10831e
-
C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\InstallOptions.dllFilesize
22KB
MD5170c17ac80215d0a377b42557252ae10
SHA14cbab6cc189d02170dd3ba7c25aa492031679411
SHA25661ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d
SHA5120fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f
-
C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\NPFInstall.exeFilesize
300KB
MD581d0878756464d5d29ac24e1137351c2
SHA19294500e980918b0c672038cc6f928c4304d3eb2
SHA25671af514081d5aee6946ee7a72546696c79e3d120a821351d8fe107fae70bdb0e
SHA5127b06c22e16d9b91520e5806d77424ade7d53323791ca7fd373c9957759058f1507dee6deb3bcfbd65f1ea707b5d3ce229991e56a30269ff055ad317aba200237
-
C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\System.dllFilesize
19KB
MD5f020a8d9ede1fb2af3651ad6e0ac9cb1
SHA1341f9345d669432b2a51d107cbd101e8b82e37b1
SHA2567efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0
SHA512408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4
-
C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\final.iniFilesize
568B
MD5cae757421db8d011e41266bfd9439885
SHA17108a9f0740ee4e3a118f6ac9212e0446f074181
SHA256ff350a68202aadb145f590c8579f9284d2e3c324b0369fde39e5a3a31d7b8204
SHA512785d19c796834065c823a7da99036378bba54b932ea1e47d4ba0c1d123a0a09ec307a3459fb862221de74ce61d9a8d7ec73901c9de007d31e7b39eb7a19b16b5
-
C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\nsExec.dllFilesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8
-
C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\options.iniFilesize
2KB
MD54c03a565eafdd997f6d501d81e3ad3c9
SHA11a8e728e164148dc08c4b24242721e6ecf515812
SHA2560f5a91ef783df6ea57ff35297d7a05f5cc6b38b04ff6f307eabb08be6484b43f
SHA512fd1c34b3f5ffe51fd91ee82ad68b131918724e6b0b4b19947c17ad169bf3cd1bcd37d6fea36afac817929a9f74c13a65b5e1736de83af65dfdcd895f002e229c
-
C:\Users\Admin\AppData\Local\Temp\nsmAA2E.tmp\options.iniFilesize
2KB
MD57939b0b43b9b24204dbeff83bcc8a769
SHA1c8244e2dd99595b416acec0f61f31a634cd31fcc
SHA2567de10b466028176bc120f63a5659b9508eccc01d724247736788e4af1cb57b52
SHA5126e1adeeb0b6d8ea62a694cb87134b1c71e0ff2cd9d7ab372bc75cfb0f0cc8c46737709676e1e59d414a02f36a2aca6157a0fef95dfa6b257e7cef7d80dd69638
-
C:\Users\Admin\AppData\Local\Temp\nsw1EC6.tmp\DonatePage.iniFilesize
904B
MD5a7503cc175535989650d0749c18c8881
SHA11f4d8aed9a2677e9a2f0467c022fc98b732ce81a
SHA256e0f775ff3740334da3924a6537b87d8fc1211942e42d4565f9edd26cf50e7b3f
SHA5123495eee44dd3756b180e50a6f59e3b5fb41707bd243e9f2631e8f23e8f2cc1f668e449a0f905d8876e997c341adbc234ca4a0b7a6f9857d77ee7fd2f689face5
-
C:\Users\Admin\AppData\Local\Temp\nsw1EC6.tmp\InstallOptions.dllFilesize
15KB
MD5d095b082b7c5ba4665d40d9c5042af6d
SHA12220277304af105ca6c56219f56f04e894b28d27
SHA256b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
SHA51261fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9
-
C:\Users\Admin\AppData\Local\Temp\nsw1EC6.tmp\NpcapPage.iniFilesize
2KB
MD53047ef10bc4dac8f8c0090f3795b887e
SHA1d70821e32182e5d19347f92d9103ec201c3ccd2b
SHA25645d648521243644111b91a6cd41896b65f351d596655c055e250624c7c6b7e9f
SHA5120c439e008ee8824f2a164a797965b68fad8ee8b312f41053dec1cf6d8e2b45e1e29f2a1c303cb8bccbaae8942598ded6e220fab520d2c1786d889748efca5bb7
-
C:\Users\Admin\AppData\Local\Temp\nsw1EC6.tmp\NpcapPage.iniFilesize
2KB
MD56d92cfc906fb0684194241de46130860
SHA1f1b71ec77becf094746fc2b1e5c7b8a06f4c8568
SHA256eca18a27265e0c02a715cd107848253f8b4dd95728090f3f05a2721201bfe8cb
SHA5124128cffdb1f9a94c37e5e800772c0214399ac164b0a8b92071c7215d937f80853a39f14e9ebd759b50d85b96c96efcb3ffd25a17fcea63cd9293dcbcadfd9a96
-
C:\Users\Admin\AppData\Local\Temp\nsw1EC6.tmp\System.dllFilesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
C:\Users\Admin\AppData\Local\Temp\nsw1EC6.tmp\USBPcapPage.iniFilesize
2KB
MD5a323e772d1baafe44a8da08e279a9e55
SHA14722efac36a08c158a5051a2a3dead68043c57ff
SHA256c7d0fb579ec899afdea12be9cb881e0be735ea1cda313486dcb845b9d057c676
SHA512cddb81cd773c55c3c1624d356b1a6942ddc4ba2227573af068d07a1efad62bae3a3c585b02ecbbb9ce9e31afc86fcdad477b61b2878a05bb74705966523e3139
-
C:\Users\Admin\AppData\Local\Temp\nsw1EC6.tmp\USBPcapPage.iniFilesize
2KB
MD5e99e395d6bfc37663626c4a01c732692
SHA175813eb6682b97de44dafdd6f98afae7e4d3868b
SHA256b4c5e164a7dc968941eab553a3c0f53f3aae8209b8eef74d4be9838b78b51503
SHA512e13cf96693c5d3971fdb5b14ee25e629b7016b045719f59d451789651127323b0a260f6c085f0b746b64d04a06a4d408aafc20eb71635d6064d8584af20973f6
-
C:\Users\Admin\AppData\Local\Temp\nsw1EC6.tmp\modern-wizard.bmpFilesize
25KB
MD5cbe40fd2b1ec96daedc65da172d90022
SHA1366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA2563ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA51262990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63
-
C:\Users\Admin\AppData\Local\Temp\nsw1EC6.tmp\nsDialogs.dllFilesize
9KB
MD51d8f01a83ddd259bc339902c1d33c8f1
SHA19f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA2564b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA51228bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567
-
C:\Windows\System32\DriverStore\Temp\{0b075c4e-bd4f-e541-aec0-85c52057167e}\SETDC67.tmpFilesize
12KB
MD5de72efb03052c07948619b29a991097f
SHA1734b1c18a3f1d6367b274aca6aaa1c7af05c570f
SHA256168e04bc04da8cc8fcd8e796682346efd5dc3a1fe7aeb6292b88b004405a25de
SHA51211b16cd1e93b65a64c3ab03f15fdf789ee9b89cd2e04688238ad1584e8cdda49749b5ae772a54836cda05bba45097ca3863ece75a8ab3cb6a662541360040c24
-
C:\Windows\System32\DriverStore\Temp\{0b075c4e-bd4f-e541-aec0-85c52057167e}\SETDC97.tmpFilesize
8KB
MD516db6977ce750fa6cd3f9f7be93cc087
SHA1b899075de2c186ec0fed298af470791025ab8fbc
SHA25641c067a985f2770b9f1f38f0558d3661b333154e09022831de8a5acaf56c5b87
SHA512b0941daba49451644293530a0a567d5621cab8b8e6a3a981da2a3079df21242529d3118fa9d2b956405e15319a0d690a4f37e9a6b8242ebe2b009a2d88ca63e6
-
C:\Windows\System32\DriverStore\Temp\{0b075c4e-bd4f-e541-aec0-85c52057167e}\SETDCA8.tmpFilesize
75KB
MD556fc763587dae7a34a6c39ebfa44a58f
SHA1ca5a73a1d59526e73809e13f2dc95a7738c36ad0
SHA25698abb948f100c7d47c80141a058c869eeca59c357e42c1fedd4cd44140617ca6
SHA5127bcd793d8b05b0c60c49a4cea34b7b885a0340f9ebee16f96051238306974bbdeed36d08bf83d88d64ae4fc7f37e8f7f7dbcae335bc5722269f8ea26954d7cfd
-
C:\Windows\Temp\{1E2437AD-7FD9-4420-BA45-6B558ED6DBA0}\.ba\logo.pngFilesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Windows\Temp\{1E2437AD-7FD9-4420-BA45-6B558ED6DBA0}\.ba\wixstdba.dllFilesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
C:\Windows\Temp\{1E2437AD-7FD9-4420-BA45-6B558ED6DBA0}\cab2C04DDC374BD96EB5C8EB8208F2C7C92Filesize
5.4MB
MD546efc5476e6d948067b9ba2e822fd300
SHA1d17c2bf232f308e53544b2a773e646d4b35e3171
SHA2562de285c0fc328d30501cad8aa66a0ca9556ad5e30d03b198ebdbc422347db138
SHA51258c9b43b0f93da00166f53fda324fcf78fb1696411e3c453b66e72143e774f68d377a0368b586fb3f3133db7775eb9ab7e109f89bb3c5e21ddd0b13eaa7bd64c
-
C:\Windows\Temp\{1E2437AD-7FD9-4420-BA45-6B558ED6DBA0}\cab5046A8AB272BF37297BB7928664C9503Filesize
935KB
MD5c2df6cb9082ac285f6acfe56e3a4430a
SHA1591e03bf436d448296798a4d80f6a39a00502595
SHA256b8b4732a600b741e824ab749321e029a07390aa730ec59401964b38105d5fa11
SHA5129f21b621fc871dd72de0c518174d1cbe41c8c93527269c3765b65edee870a8945ecc2700d49f5da8f6fab0aa3e4c2db422b505ffcbcb2c5a1ddf4b9cec0e8e13
-
C:\Windows\Temp\{1E2437AD-7FD9-4420-BA45-6B558ED6DBA0}\vcRuntimeAdditional_x64Filesize
188KB
MD5dd070483eda0af71a2e52b65867d7f5d
SHA12b182fc81d19ae8808e5b37d8e19c4dafeec8106
SHA2561c450cacdbf38527c27eb2107a674cd9da30aaf93a36be3c5729293f6f586e07
SHA51269e16ee172d923173e874b12037629201017698997e8ae7a6696aab1ad3222ae2359f90dea73a7487ca9ff6b7c01dc6c4c98b0153b6f1ada8b59d2cec029ec1a
-
C:\Windows\Temp\{1E2437AD-7FD9-4420-BA45-6B558ED6DBA0}\vcRuntimeMinimum_x64Filesize
188KB
MD5a4075b745d8e506c48581c4a99ec78aa
SHA1389e8b1dbeebdff749834b63ae06644c30feac84
SHA256ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93
SHA5120b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada
-
C:\Windows\Temp\{E316BDDD-47AB-4793-8822-CD5F46DB5E7F}\.cr\vc_redist.x64.exeFilesize
635KB
MD535e545dac78234e4040a99cbb53000ac
SHA1ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA2569a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3
-
\??\pipe\crashpad_1100_AGBLBIQCXHGZXVUXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/916-4-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/916-0-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1188-2018-0x0000000006260000-0x00000000065B4000-memory.dmpFilesize
3.3MB
-
memory/2264-1442-0x0000000000ED0000-0x0000000000F47000-memory.dmpFilesize
476KB
-
memory/2552-34-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2552-5-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2552-4656-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2552-1-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3772-1404-0x0000000000ED0000-0x0000000000F47000-memory.dmpFilesize
476KB
-
memory/3796-2273-0x0000000006F20000-0x0000000006F52000-memory.dmpFilesize
200KB
-
memory/4256-1441-0x0000000000ED0000-0x0000000000F47000-memory.dmpFilesize
476KB
-
memory/4420-1996-0x0000000006730000-0x000000000677C000-memory.dmpFilesize
304KB
-
memory/4420-1981-0x0000000005940000-0x0000000005F68000-memory.dmpFilesize
6.2MB
-
memory/4420-1995-0x0000000006700000-0x000000000671E000-memory.dmpFilesize
120KB
-
memory/4420-1999-0x0000000006C10000-0x0000000006C32000-memory.dmpFilesize
136KB
-
memory/4420-1994-0x0000000006130000-0x0000000006484000-memory.dmpFilesize
3.3MB
-
memory/4420-1984-0x00000000060C0000-0x0000000006126000-memory.dmpFilesize
408KB
-
memory/4420-1983-0x0000000005FE0000-0x0000000006046000-memory.dmpFilesize
408KB
-
memory/4420-1998-0x0000000006BA0000-0x0000000006BBA000-memory.dmpFilesize
104KB
-
memory/4420-1982-0x0000000005730000-0x0000000005752000-memory.dmpFilesize
136KB
-
memory/4420-2000-0x0000000007DA0000-0x0000000008344000-memory.dmpFilesize
5.6MB
-
memory/4420-1980-0x0000000002DB0000-0x0000000002DE6000-memory.dmpFilesize
216KB
-
memory/4420-1997-0x0000000007750000-0x00000000077E6000-memory.dmpFilesize
600KB
-
memory/4420-2002-0x0000000007B30000-0x0000000007B6E000-memory.dmpFilesize
248KB
-
memory/4420-2001-0x00000000089D0000-0x000000000904A000-memory.dmpFilesize
6.5MB
-
memory/4980-2054-0x0000000006160000-0x00000000064B4000-memory.dmpFilesize
3.3MB
-
memory/5436-4580-0x00007FF76AA60000-0x00007FF76B39B000-memory.dmpFilesize
9.2MB
-
memory/5436-4578-0x00007FFDD0DD0000-0x00007FFDD1391000-memory.dmpFilesize
5.8MB
-
memory/5436-4579-0x00007FF76AA60000-0x00007FF76B39B000-memory.dmpFilesize
9.2MB