3bd13a521b1e9d100e800b666705da132e584cccbd4f30c88e9cf0d93289b2fa

Analysis

max time kernel
149s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wireshark-4.2.2-x64.exe
Size

82.4MB
MD5

8065ba4793da47e2263bb4ce27a0d363
SHA1

2b8f90a64b1dad7791de0b430f661788f8d082ce
SHA256

3bd13a521b1e9d100e800b666705da132e584cccbd4f30c88e9cf0d93289b2fa
SHA512

17ecef2c94e4f30b58068b398cc5401a18f1e5919eeeefae541fc6e4810752da568bb54a2fa583115d4cecea712d817f37d34e8d42a95f354965bdb322a74cf4
SSDEEP

1572864:h/Pn6aSZnQObir9UDSnpyzYpx9nHTrULfehHNrDYE2DqB9KZAmd6PTAceSbu2AFH:h/P6hn29UsbnHHULkHF2+BMd67QYfAaM

Score

9^/10

discovery evasion persistence

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	vc_redist.x64.exe

Drops file in System32 directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Wireshark\radius\dictionary.quintum	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.wichorus	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\libgnutls-openssl-27.dll	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\nghttp2.dll	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\brotlidec.dll	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.nokia.conflict	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\cares.dll	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.kineto	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.ruggedcom	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.alcatel-lucent.aaa	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.audiocodes	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.rfc4603	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.versanet	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\colorfilters	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.cablelabs	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.rfc2867	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.rfc5904	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\diameter\eap.xml	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.altiga	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.meraki	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.starent	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.acc	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.cisco.bbsm	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.dellemc	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.rfc7155	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\krb5_64.dll	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\libsmi-2.dll	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\diameter\Huawei.xml	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.3com	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\libspeexdsp.dll	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.localweb	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.mikrotik	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.shasta	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.microsoft	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.surfnet	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.aerohive	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.alcatel	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.sofaware	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.rfc6930	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.wimax.wichorus	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\dtds\reginfo.dtd	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\smi_modules	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\diameter\AlcatelLucent.xml	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.openser	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.rfc3576	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.camiant	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.wimax.alvarion	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\lua52.dll	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\nghttp3.dll	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\diameter\Nokia.xml	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.bskyb	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\gmodule-2.0-0.dll	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\diameter\sunping.xml	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.nortel	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.yubico	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.lucent	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.nokia	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\diameter\Juniper.xml	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.bluecoat	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.extreme	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.freedhcp	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.aruba	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.livingston	Wireshark-4.2.2-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.springtide	Wireshark-4.2.2-x64.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e58b1b7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e58b1ca.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58b1ca.msi	msiexec.exe
File created	C:\Windows\Installer\e58b1df.msi	msiexec.exe
File created	C:\Windows\Installer\e58b1b7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7B2.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D5D19E2F-7189-42FE-8103-92CD1FA457C2}	msiexec.exe
File created	C:\Windows\Installer\e58b1c9.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0025DD72-A959-45B5-A0A3-7EFEB15A8050}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBBB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC18.tmp	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
4644	vc_redist.x64.exe
400	vc_redist.x64.exe
412	VC_redist.x64.exe
4560	npcap-1.78.exe

Loads dropped DLL 13 IoCs

pid	Process
1860	Wireshark-4.2.2-x64.exe
1860	Wireshark-4.2.2-x64.exe
1860	Wireshark-4.2.2-x64.exe
1860	Wireshark-4.2.2-x64.exe
1860	Wireshark-4.2.2-x64.exe
1860	Wireshark-4.2.2-x64.exe
1860	Wireshark-4.2.2-x64.exe
1860	Wireshark-4.2.2-x64.exe
400	vc_redist.x64.exe
1048	VC_redist.x64.exe
4560	npcap-1.78.exe
4560	npcap-1.78.exe
4560	npcap-1.78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008bec060def88e6600000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008bec060d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008bec060d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8bec060d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008bec060d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.snoop\ = "wireshark-capture-file"	Wireshark-4.2.2-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file	Wireshark-4.2.2-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.atc\ = "wireshark-capture-file"	Wireshark-4.2.2-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vwr\ = "wireshark-capture-file"	Wireshark-4.2.2-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\VC_Runtime_Additional	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\DefaultIcon\ = "\"C:\\Program Files\\Wireshark\\Wireshark.exe\",1"	Wireshark-4.2.2-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wpc\ = "wireshark-capture-file"	Wireshark-4.2.2-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\27DD5200959A5B540A3AE7EF1BA50805	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\.cap\ = "wireshark-capture-file"	Wireshark-4.2.2-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wpz\ = "wireshark-capture-file"	Wireshark-4.2.2-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\PackageCode = "1BE5B2DDE80EDC54D874D240756DB43A"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open	Wireshark-4.2.2-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.out\ = "wireshark-capture-file"	Wireshark-4.2.2-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pcapng	Wireshark-4.2.2-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tr1\ = "wireshark-capture-file"	Wireshark-4.2.2-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fdc\ = "wireshark-capture-file"	Wireshark-4.2.2-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vwr	Wireshark-4.2.2-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.36.32532"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pklg	Wireshark-4.2.2-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rtp	Wireshark-4.2.2-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\.cap	Wireshark-4.2.2-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.out	Wireshark-4.2.2-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{D5D19E2F-7189-42FE-8103-92CD1FA457C2}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\ = "Wireshark capture file"	Wireshark-4.2.2-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ipfix\ = "wireshark-capture-file"	Wireshark-4.2.2-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ntar	Wireshark-4.2.2-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.trc\ = "wireshark-capture-file"	Wireshark-4.2.2-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\.erf	Wireshark-4.2.2-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rf5	Wireshark-4.2.2-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bfr	Wireshark-4.2.2-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1260	WINWORD.EXE
1260	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1860	Wireshark-4.2.2-x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1804	vssvc.exe
Token: SeRestorePrivilege	1804	vssvc.exe
Token: SeAuditPrivilege	1804	vssvc.exe
Token: 33	3940	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3940	AUDIODG.EXE
Token: SeDebugPrivilege	4500	taskmgr.exe
Token: SeSystemProfilePrivilege	4500	taskmgr.exe
Token: SeCreateGlobalPrivilege	4500	taskmgr.exe
Token: SeShutdownPrivilege	412	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	412	VC_redist.x64.exe
Token: SeSecurityPrivilege	2036	msiexec.exe
Token: SeCreateTokenPrivilege	412	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	412	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	412	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	412	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	412	VC_redist.x64.exe
Token: SeTcbPrivilege	412	VC_redist.x64.exe
Token: SeSecurityPrivilege	412	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	412	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	412	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	412	VC_redist.x64.exe
Token: SeSystemtimePrivilege	412	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	412	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	412	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	412	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	412	VC_redist.x64.exe
Token: SeBackupPrivilege	412	VC_redist.x64.exe
Token: SeRestorePrivilege	412	VC_redist.x64.exe
Token: SeShutdownPrivilege	412	VC_redist.x64.exe
Token: SeDebugPrivilege	412	VC_redist.x64.exe
Token: SeAuditPrivilege	412	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	412	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	412	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	412	VC_redist.x64.exe
Token: SeUndockPrivilege	412	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	412	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	412	VC_redist.x64.exe
Token: SeManageVolumePrivilege	412	VC_redist.x64.exe
Token: SeImpersonatePrivilege	412	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	412	VC_redist.x64.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe
Token: SeRestorePrivilege	2036	msiexec.exe
Token: SeTakeOwnershipPrivilege	2036	msiexec.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
1860	Wireshark-4.2.2-x64.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe
4500	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE
1260	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4644	1860	Wireshark-4.2.2-x64.exe	98
PID 1860 wrote to memory of 4644	1860	Wireshark-4.2.2-x64.exe	98
PID 1860 wrote to memory of 4644	1860	Wireshark-4.2.2-x64.exe	98
PID 4644 wrote to memory of 400	4644	vc_redist.x64.exe	99
PID 4644 wrote to memory of 400	4644	vc_redist.x64.exe	99
PID 4644 wrote to memory of 400	4644	vc_redist.x64.exe	99
PID 400 wrote to memory of 412	400	vc_redist.x64.exe	100
PID 400 wrote to memory of 412	400	vc_redist.x64.exe	100
PID 400 wrote to memory of 412	400	vc_redist.x64.exe	100
PID 412 wrote to memory of 4796	412	VC_redist.x64.exe	112
PID 412 wrote to memory of 4796	412	VC_redist.x64.exe	112
PID 412 wrote to memory of 4796	412	VC_redist.x64.exe	112
PID 4796 wrote to memory of 1048	4796	VC_redist.x64.exe	113
PID 4796 wrote to memory of 1048	4796	VC_redist.x64.exe	113
PID 4796 wrote to memory of 1048	4796	VC_redist.x64.exe	113
PID 1048 wrote to memory of 1152	1048	VC_redist.x64.exe	114
PID 1048 wrote to memory of 1152	1048	VC_redist.x64.exe	114
PID 1048 wrote to memory of 1152	1048	VC_redist.x64.exe	114
PID 1860 wrote to memory of 4560	1860	Wireshark-4.2.2-x64.exe	115
PID 1860 wrote to memory of 4560	1860	Wireshark-4.2.2-x64.exe	115
PID 1860 wrote to memory of 4560	1860	Wireshark-4.2.2-x64.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Wireshark-4.2.2-x64.exe
"C:\Users\Admin\AppData\Local\Temp\Wireshark-4.2.2-x64.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Program Files\Wireshark\vc_redist.x64.exe
  "C:\Program Files\Wireshark\vc_redist.x64.exe" /install /quiet /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\Temp\{46BF31EF-B948-4527-B62D-AE2C847B99A7}\.cr\vc_redist.x64.exe
    "C:\Windows\Temp\{46BF31EF-B948-4527-B62D-AE2C847B99A7}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\Wireshark\vc_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=656 /install /quiet /norestart
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\Temp\{7F866C2A-AF37-4B2D-BE8A-B5DB43BDB94E}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{7F866C2A-AF37-4B2D-BE8A-B5DB43BDB94E}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{5E7D1600-573E-46DB-8D01-BEF29E68E286} {0AC1BFBA-A9DC-4569-8F7B-7CE7A4F3ED20} 400
      4⤵
      Adds Run key to start application
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:412
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1016 -burn.embedded BurnPipe.{6FC121CD-2FAD-442A-AF79-330DA61D94F8} {16358523-154A-40C6-A2DE-9852EBC3C65E} 412
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4796
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1016 -burn.embedded BurnPipe.{6FC121CD-2FAD-442A-AF79-330DA61D94F8} {16358523-154A-40C6-A2DE-9852EBC3C65E} 412
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{9F50E1EC-D821-4E16-BB98-211C22E112CE} {AAE5FC33-42B3-4AD9-99F2-F59A38CA3C1A} 1048
        7⤵
        Modifies registry class
        
        PID:1152
- C:\Program Files\Wireshark\npcap-1.78.exe
  "C:\Program Files\Wireshark\npcap-1.78.exe" /winpcap_mode=no /loopback_support=no
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x380
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4500

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:1712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\OpenShow.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58b1bc.rbs

Filesize
19KB

MD5
b33146064bb9ea2f5a8ce066f52df116

SHA1
0f50cc832d3bb4046c77ff3b38b78dc6ec897536

SHA256
7aa6355d0185fd8d85676a29bfe3b72ad85ce0fb5c136be12fbd8d92388770d8

SHA512
0223b60f5e6bd30619d199069beeb760a1dce508710b2e51779bd3fe4c1920ccf47ff490b1fc5a11a172cd8c363da880a56b0537d4d37030642f184cb383e0e4

Download Submit
C:\Config.Msi\e58b1c8.rbs

Filesize
19KB

MD5
28a37f9295116c3ae754f6d9bd091eee

SHA1
3f6cee001c0c04457d717392e7839660a9cf675c

SHA256
8e80e01ec063c68fb8a1c93bc403f63e07356c2ab7371e0fca41aec176a4de8c

SHA512
192da035f96adf41766c1db2c3b55bb0a7bc4cf194821618c8c2ff536a19addfad65e3046b8b82d2cb97caa3a768ba1ce1ceb21633b7cd27b8e60c8dff4348f5

Download Submit
C:\Config.Msi\e58b1cf.rbs

Filesize
21KB

MD5
b85172ba0d76f26e75733ff6cf9312b5

SHA1
46305f2830d3f18e7b2c038c9dab99f58787d0e7

SHA256
d2bda25c5dc03fbceec9556e225973848b74c9d2404dac5b3cf37f061a048b03

SHA512
ae58c985f3a3f4bde284783233a4aac7a9ef7eeb957873e9dde15e77d28779654f1e893bf3229e818edd41aba5dbfe170c44a68e07f7fb562b5a846843643bc3

Download Submit
C:\Config.Msi\e58b1de.rbs

Filesize
21KB

MD5
0399684adcdbc73e4b5b0f8163185a8c

SHA1
fa759f223b229559ad6e553a2dfcadee9028c3d1

SHA256
39ff74a5681ddedc60d56de0cd7dae76252590a84c26affe9a71c8df893f0799

SHA512
14b7de58fd1f3f1cea44faaafe113ef7cf1a4ff9feeb63a1cd8e7c24e87964c79b7e7ab67be36b2acf3c8ff87b1b5d4708a8493f157e62c1af431ff83bcb90f5

Download Submit
C:\Program Files\Wireshark\npcap-1.78.exe

Filesize
1.1MB

MD5
1b7dfff4e1f16785d5e800c193301bd7

SHA1
e1ee172ee36999daa3cfb2a0406fd8950038cefe

SHA256
deeb39ae22a44ea2698c4a58732e621bc45b84686a444c405491fef946898d90

SHA512
71f8affed3e51b00c85039f211218c5eee66b724bd674bdd4b1c609cff3c440a4ab6ee0c6fa7bc8de39dac5a65f7c7c04a8dcae3baf52c091c512f293ec86920

Download Submit
C:\Program Files\Wireshark\vc_redist.x64.exe

Filesize
5.5MB

MD5
9375651493dced23ece462f63da6d3c7

SHA1
12e0cc4f794567ea6ac633687ce2872acf2c848b

SHA256
b9c2020d93986e37cb0bec774147bf4752fbae17afdfdbdee6e1e9314a7bc2b8

SHA512
6cf5ae63fbdeb47aaf146b4b01797eba199c4518db99d1d5f237890c03c52dc0a369314f267f54db89068886d19cb197735bc1e0fc2b56c51bdebbed5c06cfbe

Download Submit
C:\Program Files\Wireshark\vc_redist.x64.exe

Filesize
11.0MB

MD5
3744c30128d19e06ae4dcc79914f3b65

SHA1
bb7a8660a50b4e437981ee3bddb3c95175db1c98

SHA256
f950d6c9ef659da43cb7bb1609b5544ba7f18cf9997a27eee4008aff6297747d

SHA512
bae648f906508df5e622b95137a9a6a84963f02ee897a1fea68ef7a74bf2d922f8d5440bb3c5374134ae563a71cb81b1c7a4095156053d4da3a4bfe7e61086ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240201152128_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
cc8c1057bac26fefe0cedee85b3a7df2

SHA1
6ec70e7446f395dd50f2052317e77ab9d1cc3b10

SHA256
d807af777ad9b41e01adcb57090019a247c38670a6be998c4c38649eb0eb9e0b

SHA512
9e07443af9f45f781d73be60643282ff422a9722c067f272fc800ca8dc2f3365c3e9174cba8f25925f11b9cbdcc9e9472afc44292169b58761d633a4dab46954

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240201152128_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
e9662c7f31928d45c55a55830a62eaf0

SHA1
d819ed0406df5d099c65f181c0d72a78d24d52c9

SHA256
8ca6a37ed792a0d7f1ba04032c4c2dc6f5bdef8d437bae60db65401e606d729d

SHA512
559b2f40e9127b58583f655da1663e82e1f4b8d153cf55008251e04a19005223b84a5bdef9bcbdc05bcdc851b57a519c285f99fc86954376e7d96aba4d747b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8A60.tmp\DonatePage.ini

Filesize
904B

MD5
a7503cc175535989650d0749c18c8881

SHA1
1f4d8aed9a2677e9a2f0467c022fc98b732ce81a

SHA256
e0f775ff3740334da3924a6537b87d8fc1211942e42d4565f9edd26cf50e7b3f

SHA512
3495eee44dd3756b180e50a6f59e3b5fb41707bd243e9f2631e8f23e8f2cc1f668e449a0f905d8876e997c341adbc234ca4a0b7a6f9857d77ee7fd2f689face5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8A60.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8A60.tmp\NpcapPage.ini

Filesize
2KB

MD5
6d92cfc906fb0684194241de46130860

SHA1
f1b71ec77becf094746fc2b1e5c7b8a06f4c8568

SHA256
eca18a27265e0c02a715cd107848253f8b4dd95728090f3f05a2721201bfe8cb

SHA512
4128cffdb1f9a94c37e5e800772c0214399ac164b0a8b92071c7215d937f80853a39f14e9ebd759b50d85b96c96efcb3ffd25a17fcea63cd9293dcbcadfd9a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8A60.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8A60.tmp\USBPcapPage.ini

Filesize
2KB

MD5
229ff08c19081c5ee1587464d2e9eb2f

SHA1
4eaff45ac494531262401a6d6cd18b494852de3b

SHA256
63adcfeabb88025b23d133eb6cb5cf1838e4cf0ecc8747fa1d9ec05209274c0a

SHA512
bd4fb74d11cfe84b01f393695da631a63877baceeaad36112da27e7f11804a8c26944cc8d8bfc4f21d3d9ac2b57877506ef636d3c090cdbf169d107756f1780b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8A60.tmp\USBPcapPage.ini

Filesize
2KB

MD5
f51a9a052278bbb1738acff8d4510e96

SHA1
9524e8ecff95ac043aaa332273e4032af71e39c4

SHA256
2370f609d1ed069e4d05bf84fc3bd35cadb54399298a45d6e063c8dd8267430c

SHA512
d050057b04357a843f3dc50f98b8f847f7b1a0df27ce80fed80442f2efafefe9e24b01b8c4f5b75def5f7803c6e70bcaca1041876338abcba28ad27c51e0ac29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8A60.tmp\nsDialogs.dll

Filesize
9KB

MD5
1d8f01a83ddd259bc339902c1d33c8f1

SHA1
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

SHA256
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

SHA512
28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspDD9B.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspDD9B.tmp\System.dll

Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
249B

MD5
aa0b671de92ea32c5842c57159abc15a

SHA1
7a08948ba971414a4b2c35076f2e142c03483746

SHA256
8f89bdb9e5d379ecb3eadefb4350f35b2ba10baddd60d941aa71f27e8c60f699

SHA512
7b132efd64faad61086b6d6a87e04d880bd8bb68cc566c1f42750f7672d6ac5945601db60179a7d3a3a61e2cced603817912b62cddbef9584599dcf0de4d773b

Download Submit
C:\Windows\Installer\e58b1c9.msi

Filesize
188KB

MD5
a4075b745d8e506c48581c4a99ec78aa

SHA1
389e8b1dbeebdff749834b63ae06644c30feac84

SHA256
ee130110a29393dcbc7be1f26106d68b629afd2544b91e6caf3a50069a979b93

SHA512
0b980f397972bfc55e30c06e6e98e07b474e963832b76cdb48717e6772d0348f99c79d91ea0b4944fe0181ad5d6701d9527e2ee62c14123f1f232c1da977cada

Download Submit
C:\Windows\Temp\{46BF31EF-B948-4527-B62D-AE2C847B99A7}\.cr\vc_redist.x64.exe

Filesize
635KB

MD5
35e545dac78234e4040a99cbb53000ac

SHA1
ae674cc167601bd94e12d7ae190156e2c8913dc5

SHA256
9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

SHA512
bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

Download Submit
C:\Windows\Temp\{7F866C2A-AF37-4B2D-BE8A-B5DB43BDB94E}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{7F866C2A-AF37-4B2D-BE8A-B5DB43BDB94E}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{7F866C2A-AF37-4B2D-BE8A-B5DB43BDB94E}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
46efc5476e6d948067b9ba2e822fd300

SHA1
d17c2bf232f308e53544b2a773e646d4b35e3171

SHA256
2de285c0fc328d30501cad8aa66a0ca9556ad5e30d03b198ebdbc422347db138

SHA512
58c9b43b0f93da00166f53fda324fcf78fb1696411e3c453b66e72143e774f68d377a0368b586fb3f3133db7775eb9ab7e109f89bb3c5e21ddd0b13eaa7bd64c

Download Submit
C:\Windows\Temp\{7F866C2A-AF37-4B2D-BE8A-B5DB43BDB94E}\cab5046A8AB272BF37297BB7928664C9503

Filesize
935KB

MD5
c2df6cb9082ac285f6acfe56e3a4430a

SHA1
591e03bf436d448296798a4d80f6a39a00502595

SHA256
b8b4732a600b741e824ab749321e029a07390aa730ec59401964b38105d5fa11

SHA512
9f21b621fc871dd72de0c518174d1cbe41c8c93527269c3765b65edee870a8945ecc2700d49f5da8f6fab0aa3e4c2db422b505ffcbcb2c5a1ddf4b9cec0e8e13

Download Submit
C:\Windows\Temp\{7F866C2A-AF37-4B2D-BE8A-B5DB43BDB94E}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
dd070483eda0af71a2e52b65867d7f5d

SHA1
2b182fc81d19ae8808e5b37d8e19c4dafeec8106

SHA256
1c450cacdbf38527c27eb2107a674cd9da30aaf93a36be3c5729293f6f586e07

SHA512
69e16ee172d923173e874b12037629201017698997e8ae7a6696aab1ad3222ae2359f90dea73a7487ca9ff6b7c01dc6c4c98b0153b6f1ada8b59d2cec029ec1a

Download Submit
C:\Windows\Temp\{7F866C2A-AF37-4B2D-BE8A-B5DB43BDB94E}\vcRuntimeMinimum_x64

Filesize
64KB

MD5
0da66aaf2738d7703383590ee0a6ab87

SHA1
64d93982f95c4b591212882ee6b9a3c4f93bcd29

SHA256
e539a43e411014cad28aeb7715ffa33d603b0bd5877861611bc58b907aa065a5

SHA512
c4d6ea83d4b088d936188d33088c6544f8c14f58496f6b66a9424eea4e77b5549dcb4778295838780efbc71c49df7151bb37a855c34c342fe5c2e526d0685639

Download Submit
memory/1260-1074-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1082-0x00007FFC7D7F0000-0x00007FFC7D800000-memory.dmp

Filesize
64KB

Download
memory/1260-1131-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1132-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1130-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1129-0x00007FFC7FBF0000-0x00007FFC7FC00000-memory.dmp

Filesize
64KB

Download
memory/1260-1128-0x00007FFC7FBF0000-0x00007FFC7FC00000-memory.dmp

Filesize
64KB

Download
memory/1260-1127-0x00007FFC7FBF0000-0x00007FFC7FC00000-memory.dmp

Filesize
64KB

Download
memory/1260-1065-0x00007FFC7FBF0000-0x00007FFC7FC00000-memory.dmp

Filesize
64KB

Download
memory/1260-1066-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1067-0x00007FFC7FBF0000-0x00007FFC7FC00000-memory.dmp

Filesize
64KB

Download
memory/1260-1068-0x00007FFC7FBF0000-0x00007FFC7FC00000-memory.dmp

Filesize
64KB

Download
memory/1260-1069-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1070-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1071-0x00007FFC7FBF0000-0x00007FFC7FC00000-memory.dmp

Filesize
64KB

Download
memory/1260-1072-0x00007FFC7FBF0000-0x00007FFC7FC00000-memory.dmp

Filesize
64KB

Download
memory/1260-1073-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1126-0x00007FFC7FBF0000-0x00007FFC7FC00000-memory.dmp

Filesize
64KB

Download
memory/1260-1075-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1076-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1077-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1079-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1080-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/1260-1081-0x00007FFC7D7F0000-0x00007FFC7D800000-memory.dmp

Filesize
64KB

Download
memory/1260-1078-0x00007FFCBFB70000-0x00007FFCBFD65000-memory.dmp

Filesize
2.0MB

Download
memory/4500-561-0x000001FC79CC0000-0x000001FC79CC1000-memory.dmp

Filesize
4KB

Download
memory/4500-550-0x000001FC79CC0000-0x000001FC79CC1000-memory.dmp

Filesize
4KB

Download
memory/4500-549-0x000001FC79CC0000-0x000001FC79CC1000-memory.dmp

Filesize
4KB

Download
memory/4500-551-0x000001FC79CC0000-0x000001FC79CC1000-memory.dmp

Filesize
4KB

Download
memory/4500-555-0x000001FC79CC0000-0x000001FC79CC1000-memory.dmp

Filesize
4KB

Download
memory/4500-556-0x000001FC79CC0000-0x000001FC79CC1000-memory.dmp

Filesize
4KB

Download
memory/4500-557-0x000001FC79CC0000-0x000001FC79CC1000-memory.dmp

Filesize
4KB

Download
memory/4500-558-0x000001FC79CC0000-0x000001FC79CC1000-memory.dmp

Filesize
4KB

Download
memory/4500-559-0x000001FC79CC0000-0x000001FC79CC1000-memory.dmp

Filesize
4KB

Download
memory/4500-560-0x000001FC79CC0000-0x000001FC79CC1000-memory.dmp

Filesize
4KB

Download