Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-11-2020 00:22
Static task
static1
Behavioral task
behavioral1
Sample
Wireshark-win64-3.4.0.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Wireshark-win64-3.4.0.exe
Resource
win10v20201028
General
-
Target
Wireshark-win64-3.4.0.exe
-
Size
58.5MB
-
MD5
f427fe6703fdf785bae6274b9ff0cc7d
-
SHA1
e2dd1f2364d58f93fd44f7330a3068d5bed00154
-
SHA256
32113e083409de888468e0bfe74ba98e6d618f9685a56a06f15b0506fdf4e462
-
SHA512
4f6bf082cf838c910907d3e6d7b974e1fb9c8a062d19d5f270d99bd6afbe78cd37e06bfbb2c994ee97ec199c34dc53df59546f9a43ef4f7df9241c49a4dffe98
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blacklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 6 324 msiexec.exe -
Drops file in Drivers directory 6 IoCs
Processes:
NPFInstall.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\npcap.sys NPFInstall.exe File opened for modification C:\Windows\system32\DRIVERS\SETE82D.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SETE82D.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\loop.sys DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\SETE070.tmp NPFInstall.exe File created C:\Windows\system32\DRIVERS\SETE070.tmp NPFInstall.exe -
Executes dropped EXE 9 IoCs
Processes:
vcredist_x64.exevcredist_x64.exeVC_redist.x64.exenpcap-1.00.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exepid process 1380 vcredist_x64.exe 1468 vcredist_x64.exe 292 VC_redist.x64.exe 1260 npcap-1.00.exe 1744 NPFInstall.exe 1264 NPFInstall.exe 1908 NPFInstall.exe 1484 NPFInstall.exe 2188 NPFInstall.exe -
Processes:
resource yara_rule C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\vcRuntimeMinimum_x64 office_xlm_macros C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\vcRuntimeAdditional_x64 office_xlm_macros -
Loads dropped DLL 36 IoCs
Processes:
Wireshark-win64-3.4.0.exevcredist_x64.exevcredist_x64.exeVC_redist.x64.exenpcap-1.00.exepid process 536 Wireshark-win64-3.4.0.exe 536 Wireshark-win64-3.4.0.exe 536 Wireshark-win64-3.4.0.exe 536 Wireshark-win64-3.4.0.exe 536 Wireshark-win64-3.4.0.exe 536 Wireshark-win64-3.4.0.exe 536 Wireshark-win64-3.4.0.exe 1380 vcredist_x64.exe 1468 vcredist_x64.exe 1468 vcredist_x64.exe 316 VC_redist.x64.exe 536 Wireshark-win64-3.4.0.exe 1260 npcap-1.00.exe 1260 npcap-1.00.exe 1260 npcap-1.00.exe 1260 npcap-1.00.exe 1200 1260 npcap-1.00.exe 1260 npcap-1.00.exe 1260 npcap-1.00.exe 1260 npcap-1.00.exe 1432 1260 npcap-1.00.exe 1148 1260 npcap-1.00.exe 520 1328 1260 npcap-1.00.exe 2204 1260 npcap-1.00.exe 1260 npcap-1.00.exe 1260 npcap-1.00.exe 1260 npcap-1.00.exe 1260 npcap-1.00.exe 536 Wireshark-win64-3.4.0.exe 536 Wireshark-win64-3.4.0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
VC_redist.x64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{0f770e99-3916-4b0c-8f9b-83822826bcbf} = "\"C:\\ProgramData\\Package Cache\\{0f770e99-3916-4b0c-8f9b-83822826bcbf}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
JavaScript code in executable 14 IoCs
Processes:
resource yara_rule \Program Files\Wireshark\vcredist_x64.exe js C:\Program Files\Wireshark\vcredist_x64.exe js C:\Program Files\Wireshark\vcredist_x64.exe js \Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exe js C:\Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exe js C:\Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exe js \Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exe js C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exe js C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exe js C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\vcRuntimeMinimum_x64 js C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\vcRuntimeAdditional_x64 js C:\ProgramData\Package Cache\{0f770e99-3916-4b0c-8f9b-83822826bcbf}\VC_redist.x64.exe js \Program Files\Wireshark\Wireshark.exe js \Program Files\Wireshark\Wireshark.exe js -
Drops file in System32 directory 88 IoCs
Processes:
npcap-1.00.exeDrvInst.exeNPFInstall.exemsiexec.exeDrvInst.exeNPFInstall.exedescription ioc process File created C:\Windows\system32\WlanHelper.exe npcap-1.00.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\npcap.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat NPFInstall.exe File opened for modification C:\Windows\system32\vcomp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140.dll msiexec.exe File created C:\Windows\SysWOW64\Packet.dll npcap-1.00.exe File created C:\Windows\system32\Npcap\WlanHelper.exe npcap-1.00.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\system32\mfc140.dll msiexec.exe File created C:\Windows\system32\mfc140chs.dll msiexec.exe File created C:\Windows\SysWOW64\wpcap.dll npcap-1.00.exe File created C:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\SETCBD7.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\SETCBE8.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\SETCBE9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\NPCAP.PNF DrvInst.exe File opened for modification C:\Windows\system32\mfc140rus.dll msiexec.exe File created C:\Windows\system32\mfcm140u.dll msiexec.exe File created C:\Windows\SysWOW64\NpcapHelper.exe npcap-1.00.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\netloop.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File created C:\Windows\SysWOW64\WlanHelper.exe npcap-1.00.exe File created C:\Windows\SysWOW64\Npcap\NpcapHelper.exe npcap-1.00.exe File opened for modification C:\Windows\system32\mfc140cht.dll msiexec.exe File created C:\Windows\system32\mfc140deu.dll msiexec.exe File created C:\Windows\system32\mfc140esn.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File created C:\Windows\system32\msvcp140_2.dll msiexec.exe File created C:\Windows\system32\vcamp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140deu.dll msiexec.exe File created C:\Windows\system32\Packet.dll npcap-1.00.exe File created C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\npcap.PNF DrvInst.exe File opened for modification C:\Windows\system32\msvcp140_2.dll msiexec.exe File created C:\Windows\system32\vcomp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140u.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File created C:\Windows\system32\mfc140cht.dll msiexec.exe File created C:\Windows\system32\mfc140kor.dll msiexec.exe File created C:\Windows\system32\mfc140rus.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140enu.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140jpn.dll msiexec.exe File created C:\Windows\system32\mfcm140.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\SETCBD7.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74} DrvInst.exe File created C:\Windows\system32\msvcp140_1.dll msiexec.exe File created C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\system32\vcruntime140_1.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\netloop.PNF NPFInstall.exe File created C:\Windows\SysWOW64\Npcap\Packet.dll npcap-1.00.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\npcap.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\SETCBE8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\NPCAP.inf DrvInst.exe File created C:\Windows\system32\concrt140.dll msiexec.exe File created C:\Windows\system32\msvcp140.dll msiexec.exe File created C:\Windows\system32\mfc140fra.dll msiexec.exe File created C:\Windows\system32\mfc140jpn.dll msiexec.exe File created C:\Windows\SysWOW64\Npcap\WlanHelper.exe npcap-1.00.exe File created C:\Windows\system32\Npcap\wpcap.dll npcap-1.00.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat NPFInstall.exe File opened for modification C:\Windows\system32\mfc140chs.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140fra.dll msiexec.exe File created C:\Windows\system32\mfc140ita.dll msiexec.exe File created C:\Windows\system32\Npcap\Packet.dll npcap-1.00.exe -
Modifies service 2 TTPs 532 IoCs
Processes:
vssvc.exeNPFInstall.exeDrvInst.exeNPFInstall.exenpcap-1.00.exeDrvInst.exeVC_redist.x64.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\IDENTIFY (Enter) = 4800000000000000a038ae0fd4bed601d8070000b0010000e80300000100000005000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE (Leave) = 4800000000000000a0f3f110d4bed601d8070000f8030000eb03000000000000000000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000 vssvc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap\Parameters\NdisImPlatformBindingOptions = "0" NPFInstall.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_FRONT (Enter) = 4800000000000000407a89f8d3bed601d8070000ec040000ec030000010000000000000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Leave) = 4800000000000000a05c26fbd3bed601d80700000c070000f5030000000000000400000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters NPFInstall.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage\Route = 220053006d006200220020002200540063007000690070002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0022000000220053006d006200220020002200540063007000690070002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0022000000220053006d0062002200200022005400630070006900700036002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0022000000220053006d0062002200200022005400630070006900700036002200200022007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d0022000000220053006d0062002200200022005400630070006900700036002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d00220000002200540063007000690070002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d00220000002200540063007000690070002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d002200000022005400630070006900700036002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022005400630070006900700036002200200022007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d002200000022005400630070006900700036002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d002200000022004e0065007400620069006f00730053006d0062002200000022004e006500740042005400220020002200540063007000690070002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022004e006500740042005400220020002200540063007000690070002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d00220000000000 DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetBT DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters NPFInstall.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\FREEZE (Leave) = 4800000000000000e04fe6f8d3bed601d80700004c020000eb030000000000000200000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_RM (Enter) = 4800000000000000c001d310d4bed601d8070000f8030000ef03000001000000000000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\0 DrvInst.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\1\Ipv6\ProtocolId = "87" DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\IDENTIFY (Leave) = 480000000000000060f09f0fd4bed601d8070000b0010000e80300000000000005000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_STABLE (SetCurrentState) = 4800000000000000a04ed40fd4bed601d8070000b00100000100000001000000010000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap_wifi\Linkage\Export = 5c004400650076006900630065005c006e00700063006100700077006900660069005f007b00370031004600380039003700440037002d0045004200370043002d0034004400380044002d0038003900440042002d004100430038003000440039004400440032003200370030007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00450034003300440032003400320042002d0039004500410042002d0034003600320036002d0041003900350032002d003400360036003400390046004200420039003300390041007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00440046003400410039004400320043002d0038003700340032002d0034004500420031002d0038003700300033002d004400330039003500430034003100380033004600330033007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00380045003300300031004100350032002d0041004600460041002d0034004600340039002d0042003900430041002d004300370039003000390036004100310041003000350036007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00370038003000330032004200370045002d0034003900360038002d0034003200440033002d0039004600330037002d003200380037004500410038003600430030004100410041007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00320039003800390038004300390044002d0042003000410034002d0034004600450046002d0042004400420036002d003500370041003500360032003000320032004300450045007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f004e00640069007300570061006e004900700000005c004400650076006900630065005c006e00700063006100700077006900660069005f004e00640069007300570061006e004200680000005c004400650076006900630065005c006e00700063006100700077006900660069005f004e00640069007300570061006e00490070007600360000000000 NPFInstall.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Leave) = 480000000000000060568afbd3bed601d80700000c070000fb030000000000000500000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\THAW (Enter) = 480000000000000020a54711d4bed601d80700000c070000f203000001000000030000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Leave) = 480000000000000020a54711d4bed601d80700002c080000fc03000000000000030000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap_wifi\Parameters\Adapters\{DF4A9D2C-8742-4EB1-8703-D395C4183F33} NPFInstall.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\lltdio\Linkage\Export = 5c004400650076006900630065005c006c006c007400640069006f005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c006c006c007400640069006f005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000000000 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RasPppoe\Linkage\Export = 5c004400650076006900630065005c005200610073005000700070006f0065005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c005200610073005000700070006f0065005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000000000 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Leave) = 4800000000000000801267f7d3bed601d8070000b001000001040000000000000000000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Leave) = 480000000000000080f6acfad3bed601d80700004c020000f2030000000000000300000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Enter) = 4800000000000000e08bcf0fd4bed601d8070000f0050000e903000001000000050000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Leave) = 4800000000000000c0383211d4bed601d8070000f8030000fd03000000000000000000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000 vssvc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap\Parameters\WinPcapCompatible = "1" npcap-1.00.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\msloop DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetBIOS\Linkage\Route = 22004e006500740042005400220020002200540063007000690070002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022004e006500740042005400220020002200540063007000690070002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d00220000000000 DrvInst.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\RouterManagers\Stamp = "0" DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage\Export = 5c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f0053006d0062005f00540063007000690070005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f0053006d0062005f00540063007000690070005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f0053006d0062005f005400630070006900700036005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f0053006d0062005f005400630070006900700036005f007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f0053006d0062005f005400630070006900700036005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f00540063007000690070005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f00540063007000690070005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f005400630070006900700036005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f005400630070006900700036005f007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f005400630070006900700036005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400620069006f00730053006d00620000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f00540063007000690070005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f00540063007000690070005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f005400630070006900700036005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f005400630070006900700036005f007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f005400630070006900700036005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000000000 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Linkage\Route = 22007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d002200000022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d00220000000000 DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Linkage DrvInst.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\3\Ipv6\ProtocolId = "87" DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000407a89f8d3bed601d80700004c02000002000000010000000100000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ndisuio\Linkage DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\1\Ip DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\{FADFD64F-966B-4C29-B674-20CD035EF0EB}\Parameters\Tcpip DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\{FADFD64F-966B-4C29-B674-20CD035EF0EB}\Parameters DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Enter) = 4800000000000000c05a75f7d3bed601d8070000c4060000e9030000010000000100000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{495fd7e4-1989-11eb-abf9-806e6f6e6963}_)\OPEN_VOLUME_HANDLE (Leave) = 4800000000000000c0bad6f9d3bed601d80700008c070000fd030000000000000000000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Enter) = 4800000000000000c001d310d4bed601d8070000f8030000f003000001000000000000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 4800000000000000a01f3e11d4bed601e0070000b4050000d50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\1\Ipv6 DrvInst.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\2\Ipv6\ProtocolId = "87" DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 4800000000000000206195f8d3bed601d80700005404000003000000010000000200000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore\SrCreateRp (Enter) = 4800000000000000c051a20fd4bed601e0070000b4050000d50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Enter) = 4800000000000000e08bcf0fd4bed601d8070000b0010000e903000001000000050000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NdisWan\Linkage NPFInstall.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\3 DrvInst.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\3\Stamp = "0" DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Enter) = 4800000000000000a02b5bf7d3bed601d8070000f0050000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 400000000000000060c792fad3bed601240100004c040000d5070000010000000000000000000000000000000000000000000000000000000000000000000000 VC_redist.x64.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000c0b78cfbd3bed601d80700004c020000fb030000000000000500000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap\Parameters\Adapters\{29898C9D-B0A4-4FEF-BDB6-57A562022CEE}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000 NPFInstall.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{C84EC2BE-72CF-42F6-A0CE-14B33FCE5624}\Domain DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\IDENTIFY (Leave) = 480000000000000060ee5ff7d3bed601d8070000c8070000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\GETSTATE (Leave) = 4800000000000000a04c94f7d3bed601d8070000c8070000f9030000000000000100000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap_wifi\Parameters\Adapters\{8E301A52-AFFA-4F49-B9CA-C79096A1A056}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501351}-0000 NPFInstall.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rspndr\Linkage\Export = 5c004400650076006900630065005c007200730070006e00640072005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c007200730070006e00640072005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000000000 DrvInst.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\2 DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Dhcp\Configurations\Options = 32000000000000000400000000000000ffffff7f0000000001000000000000000400000000000000ffffff7f00000000 DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap\Parameters\Adapters\{5BF54C7E-91DA-457D-80BF-333677D7E316} NPFInstall.exe -
Drops file in Program Files directory 795 IoCs
Processes:
Wireshark-win64-3.4.0.exeNPFInstall.exenpcap-1.00.exedescription ioc process File created C:\Program Files\Wireshark\snmp\mibs\NETWORK-SERVICES-MIB Wireshark-win64-3.4.0.exe File opened for modification C:\Program Files\Npcap\NPFInstall.log NPFInstall.exe File created C:\Program Files\Wireshark\snmp\mibs\DISMAN-SCRIPT-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\IPMCAST-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\TN3270E-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\diameter\mobileipv4.xml Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.sonicwall Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\RFC1269-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\CAPWAP-DOT11-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\OSPFV3-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\FRAMEWORK-TC-PIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\libgmp-10.dll Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\manuf Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.rfc6929 Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\RMON2-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\ROHC-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\RTP-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\translations\qt_it.qm Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\IPMROUTE-STD-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\dtds\smil.dtd Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\translations\qt_zh_TW.qm Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\IANAifType-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\APPN-TRAP-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\SIP-UA-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.netscreen Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.quintum Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.rfc5580 Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\DS3-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\ietf-inet-types.yang Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.garderos Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.perle Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.zeus Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.freeswitch Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\IANA-PRINTER-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\DIFFSERV-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\RFC1213-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\IPSEC-POLICY-PIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.alcatel.sr Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.dhcp Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.digium Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.wimax.wichorus Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\plugins\3.4\wiretap\usbdump.dll Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\IANA-IPPM-METRICS-REGISTRY-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\FR-ATM-PVC-SERVICE-IWF-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\SNMP-TLS-TM-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\init.lua Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\diameter\VerizonWireless.xml Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.karlnet Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\T11-FC-FABRIC-ADDR-MGR-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\ACCESSBIND-PIB-orig Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\translations\qt_he.qm Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\ROHC-RTP-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\SNMP-USM-AES-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\pcre.dll Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\radius\dictionary.audiocodes Wireshark-win64-3.4.0.exe File created C:\Program Files\Npcap\FixInstall.bat npcap-1.00.exe File created C:\Program Files\Wireshark\radius\dictionary.itk Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\profiles\Bluetooth\colorfilters Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\DS0-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\FR-MFR-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\snmp\mibs\MPLS-TE-STD-MIB Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\wireshark.html Wireshark-win64-3.4.0.exe File created C:\Program Files\Wireshark\diameter\sunping.xml Wireshark-win64-3.4.0.exe -
Drops file in Windows directory 39 IoCs
Processes:
DrvInst.exemsiexec.exeNPFInstall.exeVC_redist.x64.exepnputil.exeDrvInst.exeDrvInst.exeNPFInstall.exeDrvInst.exeVC_redist.x64.exeNPFInstall.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f7548e3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5B36.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5DD7.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log NPFInstall.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSI50C3.tmp msiexec.exe File created C:\Windows\Installer\f7548e5.ipi msiexec.exe File opened for modification C:\Windows\Installer\f7548e5.ipi msiexec.exe File opened for modification C:\Windows\WindowsUpdate.log VC_redist.x64.exe File created C:\Windows\INF\oem1.PNF pnputil.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f7548d3.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.app.log NPFInstall.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem2.PNF NPFInstall.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log NPFInstall.exe File created C:\Windows\Installer\f7548d3.msi msiexec.exe File created C:\Windows\Installer\f7548d5.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI52D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7548e3.msi msiexec.exe File created C:\Windows\Installer\f7548f7.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.app.log NPFInstall.exe File opened for modification C:\Windows\WindowsUpdate.log VC_redist.x64.exe File created C:\Windows\INF\oem0.PNF pnputil.exe File created C:\Windows\Installer\f7548e2.msi msiexec.exe File opened for modification C:\Windows\Installer\f7548d5.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.app.log NPFInstall.exe File opened for modification C:\Windows\inf\netloop.PNF NPFInstall.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
NSIS installer 6 IoCs
Processes:
resource yara_rule \Program Files\Wireshark\npcap-1.00.exe nsis_installer_1 \Program Files\Wireshark\npcap-1.00.exe nsis_installer_2 C:\Program Files\Wireshark\npcap-1.00.exe nsis_installer_1 C:\Program Files\Wireshark\npcap-1.00.exe nsis_installer_2 C:\Program Files\Wireshark\npcap-1.00.exe nsis_installer_1 C:\Program Files\Wireshark\npcap-1.00.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2D2065C1-2AC7-11EB-A7D7-E6A19248D3FE} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312597033" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe -
Modifies data under HKEY_USERS 208 IoCs
Processes:
DrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@netcfgx.dll,-50003 = "Allows other computers to access resources on your computer using a Microsoft network." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs DrvInst.exe -
Modifies registry class 147 IoCs
Processes:
msiexec.exeWireshark-win64-3.4.0.exeVC_redist.x64.exeVC_redist.x64.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.acp\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.enc\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ntar Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pklg\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pkt\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vwr\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\57987521567CFDB4D8CD2348CBE058F5 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.atc\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\Media\1 = ";" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.apc\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.syc\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tpc\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.trc\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\ProductName = "Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.27.29112" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.out\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rf5\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ipfix\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2019 X64 Additional Runtime - 14.27.29112" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.21,bundle\Dependents\{F4220B74-9EDD-4DED-BC8B-0342C1E164D8} VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5vw\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.27,bundle\Dependents\{0f770e99-3916-4b0c-8f9b-83822826bcbf} VC_redist.x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\Net msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\57987521567CFDB4D8CD2348CBE058F5\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bfr\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cap\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.27,bundle VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.acp Wireshark-win64-3.4.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tr1 Wireshark-win64-3.4.0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\57987521567CFDB4D8CD2348CBE058F5\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6671BB73785CEA942BBD16F8DBAE8BC8\Servicing_Key msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{1B4EDD59-90CE-4BDE-8520-630981088165}" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\Assignment = "1" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{F4220B74-9EDD-4DED-BC8B-0342C1E164D8} VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5vw Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.erf\ = "wireshark-capture-file" Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.27,bundle\ = "{0f770e99-3916-4b0c-8f9b-83822826bcbf}" VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{37BB1766-C587-49AE-B2DB-618FBDEAB88C}" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD7CAC7F4253D2C47ABD1E16043A5D6E\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.syc Wireshark-win64-3.4.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.trc Wireshark-win64-3.4.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wpz Wireshark-win64-3.4.0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{0f770e99-3916-4b0c-8f9b-83822826bcbf} VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.apc Wireshark-win64-3.4.0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\57987521567CFDB4D8CD2348CBE058F5\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6671BB73785CEA942BBD16F8DBAE8BC8 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DDE4B1EC09EDB45802369018801856\VC_Runtime_Additional msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open\command Wireshark-win64-3.4.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fdc Wireshark-win64-3.4.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.27,bundle\Version = "14.27.29112.0" VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{37BB1766-C587-49AE-B2DB-618FBDEAB88C}v14.27.29112\\packages\\vcRuntimeMinimum_amd64\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\SourceList\Net msiexec.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
msiexec.exeNPFInstall.exepid process 324 msiexec.exe 324 msiexec.exe 324 msiexec.exe 324 msiexec.exe 324 msiexec.exe 324 msiexec.exe 324 msiexec.exe 324 msiexec.exe 1744 NPFInstall.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 460 460 -
Suspicious use of AdjustPrivilegeToken 431 IoCs
Processes:
vssvc.exeDrvInst.exeVC_redist.x64.exemsiexec.exedescription pid process Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 1272 DrvInst.exe Token: SeRestorePrivilege 1272 DrvInst.exe Token: SeRestorePrivilege 1272 DrvInst.exe Token: SeRestorePrivilege 1272 DrvInst.exe Token: SeRestorePrivilege 1272 DrvInst.exe Token: SeRestorePrivilege 1272 DrvInst.exe Token: SeRestorePrivilege 1272 DrvInst.exe Token: SeLoadDriverPrivilege 1272 DrvInst.exe Token: SeLoadDriverPrivilege 1272 DrvInst.exe Token: SeLoadDriverPrivilege 1272 DrvInst.exe Token: SeShutdownPrivilege 292 VC_redist.x64.exe Token: SeIncreaseQuotaPrivilege 292 VC_redist.x64.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeSecurityPrivilege 324 msiexec.exe Token: SeCreateTokenPrivilege 292 VC_redist.x64.exe Token: SeAssignPrimaryTokenPrivilege 292 VC_redist.x64.exe Token: SeLockMemoryPrivilege 292 VC_redist.x64.exe Token: SeIncreaseQuotaPrivilege 292 VC_redist.x64.exe Token: SeMachineAccountPrivilege 292 VC_redist.x64.exe Token: SeTcbPrivilege 292 VC_redist.x64.exe Token: SeSecurityPrivilege 292 VC_redist.x64.exe Token: SeTakeOwnershipPrivilege 292 VC_redist.x64.exe Token: SeLoadDriverPrivilege 292 VC_redist.x64.exe Token: SeSystemProfilePrivilege 292 VC_redist.x64.exe Token: SeSystemtimePrivilege 292 VC_redist.x64.exe Token: SeProfSingleProcessPrivilege 292 VC_redist.x64.exe Token: SeIncBasePriorityPrivilege 292 VC_redist.x64.exe Token: SeCreatePagefilePrivilege 292 VC_redist.x64.exe Token: SeCreatePermanentPrivilege 292 VC_redist.x64.exe Token: SeBackupPrivilege 292 VC_redist.x64.exe Token: SeRestorePrivilege 292 VC_redist.x64.exe Token: SeShutdownPrivilege 292 VC_redist.x64.exe Token: SeDebugPrivilege 292 VC_redist.x64.exe Token: SeAuditPrivilege 292 VC_redist.x64.exe Token: SeSystemEnvironmentPrivilege 292 VC_redist.x64.exe Token: SeChangeNotifyPrivilege 292 VC_redist.x64.exe Token: SeRemoteShutdownPrivilege 292 VC_redist.x64.exe Token: SeUndockPrivilege 292 VC_redist.x64.exe Token: SeSyncAgentPrivilege 292 VC_redist.x64.exe Token: SeEnableDelegationPrivilege 292 VC_redist.x64.exe Token: SeManageVolumePrivilege 292 VC_redist.x64.exe Token: SeImpersonatePrivilege 292 VC_redist.x64.exe Token: SeCreateGlobalPrivilege 292 VC_redist.x64.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 592 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 592 iexplore.exe 592 iexplore.exe 984 IEXPLORE.EXE 984 IEXPLORE.EXE 984 IEXPLORE.EXE 984 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 88 IoCs
Processes:
Wireshark-win64-3.4.0.exeiexplore.exevcredist_x64.exevcredist_x64.exeVC_redist.x64.exeVC_redist.x64.exeVC_redist.x64.exenpcap-1.00.exedescription pid process target process PID 536 wrote to memory of 1380 536 Wireshark-win64-3.4.0.exe vcredist_x64.exe PID 536 wrote to memory of 1380 536 Wireshark-win64-3.4.0.exe vcredist_x64.exe PID 536 wrote to memory of 1380 536 Wireshark-win64-3.4.0.exe vcredist_x64.exe PID 536 wrote to memory of 1380 536 Wireshark-win64-3.4.0.exe vcredist_x64.exe PID 536 wrote to memory of 1380 536 Wireshark-win64-3.4.0.exe vcredist_x64.exe PID 536 wrote to memory of 1380 536 Wireshark-win64-3.4.0.exe vcredist_x64.exe PID 536 wrote to memory of 1380 536 Wireshark-win64-3.4.0.exe vcredist_x64.exe PID 592 wrote to memory of 984 592 iexplore.exe IEXPLORE.EXE PID 592 wrote to memory of 984 592 iexplore.exe IEXPLORE.EXE PID 592 wrote to memory of 984 592 iexplore.exe IEXPLORE.EXE PID 592 wrote to memory of 984 592 iexplore.exe IEXPLORE.EXE PID 1380 wrote to memory of 1468 1380 vcredist_x64.exe vcredist_x64.exe PID 1380 wrote to memory of 1468 1380 vcredist_x64.exe vcredist_x64.exe PID 1380 wrote to memory of 1468 1380 vcredist_x64.exe vcredist_x64.exe PID 1380 wrote to memory of 1468 1380 vcredist_x64.exe vcredist_x64.exe PID 1380 wrote to memory of 1468 1380 vcredist_x64.exe vcredist_x64.exe PID 1380 wrote to memory of 1468 1380 vcredist_x64.exe vcredist_x64.exe PID 1380 wrote to memory of 1468 1380 vcredist_x64.exe vcredist_x64.exe PID 1468 wrote to memory of 292 1468 vcredist_x64.exe VC_redist.x64.exe PID 1468 wrote to memory of 292 1468 vcredist_x64.exe VC_redist.x64.exe PID 1468 wrote to memory of 292 1468 vcredist_x64.exe VC_redist.x64.exe PID 1468 wrote to memory of 292 1468 vcredist_x64.exe VC_redist.x64.exe PID 1468 wrote to memory of 292 1468 vcredist_x64.exe VC_redist.x64.exe PID 1468 wrote to memory of 292 1468 vcredist_x64.exe VC_redist.x64.exe PID 1468 wrote to memory of 292 1468 vcredist_x64.exe VC_redist.x64.exe PID 292 wrote to memory of 1784 292 VC_redist.x64.exe VC_redist.x64.exe PID 292 wrote to memory of 1784 292 VC_redist.x64.exe VC_redist.x64.exe PID 292 wrote to memory of 1784 292 VC_redist.x64.exe VC_redist.x64.exe PID 292 wrote to memory of 1784 292 VC_redist.x64.exe VC_redist.x64.exe PID 292 wrote to memory of 1784 292 VC_redist.x64.exe VC_redist.x64.exe PID 292 wrote to memory of 1784 292 VC_redist.x64.exe VC_redist.x64.exe PID 292 wrote to memory of 1784 292 VC_redist.x64.exe VC_redist.x64.exe PID 1784 wrote to memory of 316 1784 VC_redist.x64.exe VC_redist.x64.exe PID 1784 wrote to memory of 316 1784 VC_redist.x64.exe VC_redist.x64.exe PID 1784 wrote to memory of 316 1784 VC_redist.x64.exe VC_redist.x64.exe PID 1784 wrote to memory of 316 1784 VC_redist.x64.exe VC_redist.x64.exe PID 1784 wrote to memory of 316 1784 VC_redist.x64.exe VC_redist.x64.exe PID 1784 wrote to memory of 316 1784 VC_redist.x64.exe VC_redist.x64.exe PID 1784 wrote to memory of 316 1784 VC_redist.x64.exe VC_redist.x64.exe PID 316 wrote to memory of 1568 316 VC_redist.x64.exe VC_redist.x64.exe PID 316 wrote to memory of 1568 316 VC_redist.x64.exe VC_redist.x64.exe PID 316 wrote to memory of 1568 316 VC_redist.x64.exe VC_redist.x64.exe PID 316 wrote to memory of 1568 316 VC_redist.x64.exe VC_redist.x64.exe PID 316 wrote to memory of 1568 316 VC_redist.x64.exe VC_redist.x64.exe PID 316 wrote to memory of 1568 316 VC_redist.x64.exe VC_redist.x64.exe PID 316 wrote to memory of 1568 316 VC_redist.x64.exe VC_redist.x64.exe PID 536 wrote to memory of 1260 536 Wireshark-win64-3.4.0.exe npcap-1.00.exe PID 536 wrote to memory of 1260 536 Wireshark-win64-3.4.0.exe npcap-1.00.exe PID 536 wrote to memory of 1260 536 Wireshark-win64-3.4.0.exe npcap-1.00.exe PID 536 wrote to memory of 1260 536 Wireshark-win64-3.4.0.exe npcap-1.00.exe PID 536 wrote to memory of 1260 536 Wireshark-win64-3.4.0.exe npcap-1.00.exe PID 536 wrote to memory of 1260 536 Wireshark-win64-3.4.0.exe npcap-1.00.exe PID 536 wrote to memory of 1260 536 Wireshark-win64-3.4.0.exe npcap-1.00.exe PID 1260 wrote to memory of 1744 1260 npcap-1.00.exe NPFInstall.exe PID 1260 wrote to memory of 1744 1260 npcap-1.00.exe NPFInstall.exe PID 1260 wrote to memory of 1744 1260 npcap-1.00.exe NPFInstall.exe PID 1260 wrote to memory of 1744 1260 npcap-1.00.exe NPFInstall.exe PID 1260 wrote to memory of 1484 1260 npcap-1.00.exe certutil.exe PID 1260 wrote to memory of 1484 1260 npcap-1.00.exe certutil.exe PID 1260 wrote to memory of 1484 1260 npcap-1.00.exe certutil.exe PID 1260 wrote to memory of 1484 1260 npcap-1.00.exe certutil.exe PID 1260 wrote to memory of 912 1260 npcap-1.00.exe certutil.exe PID 1260 wrote to memory of 912 1260 npcap-1.00.exe certutil.exe PID 1260 wrote to memory of 912 1260 npcap-1.00.exe certutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Wireshark-win64-3.4.0.exe"C:\Users\Admin\AppData\Local\Temp\Wireshark-win64-3.4.0.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Wireshark\vcredist_x64.exe"C:\Program Files\Wireshark\vcredist_x64.exe" /install /quiet /norestart2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exe"C:\Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Program Files\Wireshark\vcredist_x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exe"C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{6F149526-2581-45CE-B8D1-A454DEC424BB} {35247DF1-A54C-46AA-A819-BA42F8DD0789} 14684⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies service
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={0f770e99-3916-4b0c-8f9b-83822826bcbf} -burn.filehandle.self=500 -burn.embedded BurnPipe.{7456D846-71C9-462A-9B31-2C18DF68EFCB} {024FF4AD-7A13-4B72-AAF5-3EE77F6ED8D1} 2925⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={0f770e99-3916-4b0c-8f9b-83822826bcbf} -burn.filehandle.self=500 -burn.embedded BurnPipe.{7456D846-71C9-462A-9B31-2C18DF68EFCB} {024FF4AD-7A13-4B72-AAF5-3EE77F6ED8D1} 2926⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{5DD0994E-60BF-4840-913C-6DB5DA98F959} {862C7DAF-8AAB-420C-9B31-584CCA5E0FDC} 3167⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Program Files\Wireshark\npcap-1.00.exe"C:\Program Files\Wireshark\npcap-1.00.exe" /winpcap_mode=no /loopback_support=no2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies service
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exe"C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exe" -n -check_dll3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\certutil.execertutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\Insecure-EV.cer"3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\Insecure-EV-sha1.cer"3⤵
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -c3⤵
- Executes dropped EXE
-
C:\Windows\system32\pnputil.exepnputil.exe -e4⤵
- Drops file in Windows directory
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -iw3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -i23⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Modifies service
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -il3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies service
- Drops file in Windows directory
-
C:\Windows\SysWOW64\SCHTASKS.EXESCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'C:\Program Files\Npcap\CheckStatus.bat'" /NP3⤵
- Creates scheduled task(s)
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000003A8" "00000000000005B8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blacklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{26d7c48a-f8f8-5c99-06c3-142926215c5a}\NPCAP.inf" "9" "605306be3" "00000000000003EC" "WinSta0\Default" "00000000000003D8" "208" "C:\Program Files\Npcap"1⤵
- Drops file in System32 directory
- Modifies service
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "00000000000005C4" "00000000000005C8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\netloop.inf" "netloop.inf:Microsoft.NTamd64:MSLOOP.ndi:6.1.7600.16385:*msloop" "6632877cf" "00000000000003EC" "00000000000003A8" "00000000000005C4"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Modifies service
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~1\Npcap\npcap.sysMD5
a0164420de7f90414cfe661e31a4a618
SHA1b7701d069d4fcb31121462256edc283294fb2351
SHA256f6459767fd63fad5a5bacde8a612f9598498d5877c014275c9e517486da99be3
SHA512cdfed2ad00cbd290821783106e9c1b895a042c6dd630981e53399492334acfa8ecadfe261d62558870e8a395f9aedfba1ad0b056aa7364fa5c4a5a481ac77796
-
C:\Program Files\Npcap\NPCAP.infMD5
dd4d9bf2e91f295146c86d4bd6f4188e
SHA16b3d2af0b29b1b0ece0c6900fe11b7466f4c34af
SHA256f08b2844468196b265dd191ecdc3655071d8d91e0b755dece6789a8b9db6a48f
SHA512af5c1bf7b527ba0de691b6e38cb447a217cbaf575aa02fbf68eff096ab4eb8d3688b3fd730297b71e096400410e7101658ab0c72e2de13bfd0829eb9078bc70d
-
C:\Program Files\Npcap\NPCAP_wfp.infMD5
b810a602b91df8bb508efb681f8189ed
SHA178a7b1aa393cb2aff6ec6643b6ba2d3a0bc02915
SHA256513b6658c7ecf8648fa73ab5f5da38821ae0f39bdd30ac5ff93a4413ae2d1338
SHA5129cffd9f4cb1f7f7d55009d319ab4e6487036b17bb9b7894195f6a4317abb8ad91e8503d439e0cc1fdeaf49080a94f798498c489a81d7a49e717de77f47615132
-
C:\Program Files\Npcap\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
C:\Program Files\Npcap\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
C:\Program Files\Npcap\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
C:\Program Files\Npcap\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
C:\Program Files\Npcap\NPFInstall.logMD5
41fa70a2b240b3a416a01886b5fabfcd
SHA112f0f628c94ae9bbeb054b408edd840235d3a91f
SHA256f67ef070923ea54281f980f1c4d061c7af04fb2a15184c97e9e2cc42f719c4b5
SHA51285f90f1c66d2b6e420ac0d05d205823cfc1274971cac20a9269e931415ce6e560fb33b77ba323087c8aa148966d46dfd85ef2d2b756979a25b664577da93f5a2
-
C:\Program Files\Npcap\NPFInstall.logMD5
1db00c559a89a6c16f493ec2518ff11d
SHA15368a1719667357a0bb82c926790defe83f9bd10
SHA256bde33ab6f537900236fd616ce3ca398234fe9aecaa1d1123b6b07918eab0d1f6
SHA5123cac483ee4a6cfe4f9fe2f4aa588e3ddfc6566402e759d19385bbdb68c0e2b09c80122eea2202ae0c0ea700d731f0cfaf7adccea39c64bc3b6ac5d4cf268759b
-
C:\Program Files\Npcap\NPFInstall.logMD5
a691721ca32c0c087db1746c2a8ec0e4
SHA143e88f2eb80bbf012bc88cb8fe0923830818e0ae
SHA25677c1c9deeb4b18cfcebff3952a0c868ba45441cedbf699163dc88d8f875edcfe
SHA5125793111fc83e10d4641b7756ca82af3b0b81071e2f55cc660f7529c12ac3a6b4f9fef5b043453aef26894ed60194d788377853badd5ba0fc08d0fd9f11dd784f
-
C:\Program Files\Npcap\NPFInstall.logMD5
ad28aad622263695beb87145f298fdc6
SHA1a8ba91bfa9bff0e675b90fc9e2476486a106f7d5
SHA256e70cf5571d54d39fcfacb26522dcdd47017e1fa4655ba46bb24c3606565542e8
SHA512c93217643dd354966c34fb38fbbc390cf1645ec910e6f9dd2bb4ec6515bd802a37901e073b22708958a53e6554e7714deb02994edc6dacfaa9b7a9b1196b91ae
-
C:\Program Files\Npcap\npcap.catMD5
74ff20bbd94ca641189d2fc126ef954b
SHA1af896f3b3bf24fe7e25f6310d9b1f6dd78e0174e
SHA256676d43897aad5faabd724d2f91cc9f0bcb711908d89fa8a017c274b6b2345a33
SHA5129dac93f72ecf741437bc80a67c63f555d4e737cd1c30c26497794dddb3abc879d024c41bb3079274a743b6e4b94f0cb5ccfa5caa2bd88842b5babc4d623fe1b6
-
C:\Program Files\Wireshark\npcap-1.00.exeMD5
fc8cb1b4677c90859af51c8c664e755d
SHA162f3d68f01f93c1b5b3f915a2781cd523394b944
SHA256488ab12e28e81d0dcf3d5d996f9cb676293f6f73b39e9c99476b5a44cec2250a
SHA512bbdc020bf97f75c8f63f09495e5580fcc77af342fe4866fcc12023d75d8ff73b0826c66a655b70f79588ab7a1b8eea0baf228305214a9b3ea60667799246dcaf
-
C:\Program Files\Wireshark\npcap-1.00.exeMD5
fc8cb1b4677c90859af51c8c664e755d
SHA162f3d68f01f93c1b5b3f915a2781cd523394b944
SHA256488ab12e28e81d0dcf3d5d996f9cb676293f6f73b39e9c99476b5a44cec2250a
SHA512bbdc020bf97f75c8f63f09495e5580fcc77af342fe4866fcc12023d75d8ff73b0826c66a655b70f79588ab7a1b8eea0baf228305214a9b3ea60667799246dcaf
-
C:\Program Files\Wireshark\vcredist_x64.exeMD5
9f096b97d204078b443dbcbf18e0ebb0
SHA1a55510a8c9708b2c68b39cd50bbcaf86e2c885f0
SHA2564b5890eb1aefdf8dfa3234b5032147eb90f050c5758a80901b201ae969780107
SHA512c606a3ac915a62608b71bd3114a9725746f17a882420c38eaf905c3433a95187bff61013b8cf1af2013cc504ab07726758388beef2063709af253ffd2d7572ec
-
C:\Program Files\Wireshark\vcredist_x64.exeMD5
9f096b97d204078b443dbcbf18e0ebb0
SHA1a55510a8c9708b2c68b39cd50bbcaf86e2c885f0
SHA2564b5890eb1aefdf8dfa3234b5032147eb90f050c5758a80901b201ae969780107
SHA512c606a3ac915a62608b71bd3114a9725746f17a882420c38eaf905c3433a95187bff61013b8cf1af2013cc504ab07726758388beef2063709af253ffd2d7572ec
-
C:\ProgramData\Package Cache\{0f770e99-3916-4b0c-8f9b-83822826bcbf}\VC_redist.x64.exeMD5
968e1c550c1254a3d5f63f4a78ac3b2b
SHA11b1427bf86c326e1f402887af5082653129cf03e
SHA256bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6
SHA512d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
6bbb835228d7be7c3ceaa798185ae81e
SHA1222591e9f6b3c41a5dc04cf5f21daf32cb87c5e2
SHA256b0dc30e5596c9c33a544f5e00931667d02d00200e863b158b508be079b4da59f
SHA51248a53f44b2bc791c25ccb02e9cbe9c6093f39303a13f8b248d0d91b409c89eae5907e66fa697f2224e6ff1eb86ce17461c8838aedd7623f2abdd3310f49171ab
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20201120002735_000_vcRuntimeMinimum_x64.logMD5
01c61d067b839f50b37446ca4c9608e5
SHA17785a2c66487fec4833432a97486da14c3365e3b
SHA25651e208aa82d2f7b0143b570991b62738cfd873c474c5a2c566e440f5258ff60f
SHA512369d60cc5ae56c67d447c24722ef946afb77a6f0be268e2dd92dbc8c4c6966887e6d4c6c2faa767ee02c1b1ba7a4ff618566bae2a6914c2b2716a5afd6d06c1b
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20201120002735_001_vcRuntimeAdditional_x64.logMD5
3d808057caeae381e95f7c729af00bd1
SHA1583cbc4cecadd420bca8952a495a0540aa185056
SHA256f4994632bceeed5fd6df10a1476f8112804542867242acf2c8295d60766e6965
SHA51296ed56669a4f26a48c1f3f6fe069444f5b68ddcf9c4fd87aab79ac2dd126b0b6bb083527cae8a22f4c6ba56d0b10f4c08710cf32b511f314c2a0255c92bf6dfb
-
C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\Insecure-EV-sha1.cerMD5
6e3a097ec254863a4a1a810ffcad253a
SHA129bacae898852aab0bb9162881053b703b9d1005
SHA2568e1b4bcf0bb63d58165149af6b31f771c80b1064750ebb3c326483df3ab8ebf0
SHA512dad466fe6e87d5834837c4f0145c85c852be9e4d8301b2eeb1d2af322829b9b2913647c4ea5e70293c35260265cebc02f4f017cbb319209556f4278afcd64ae1
-
C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\Insecure-EV.cerMD5
bb381ad7f010e2e2f2f63d01c7134805
SHA14ce89794fe2d2f7e30121f10bcf76ac3ccf77ca9
SHA256ed81c57dc455569ced035211a11c74110bf820df0d8b09bf23024c6f0d9baf95
SHA512da41931dac9c463ab066eaeb830f0e3d79c62f103f2eff4d5092e99e8292f30cc16d6ffd70071af353fa986b5874dd2cf8a4d44d9f2df479574bcdbf6f5b796c
-
C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
C:\Users\Admin\AppData\Local\Temp\{26D7C~1\npcap.sysMD5
a0164420de7f90414cfe661e31a4a618
SHA1b7701d069d4fcb31121462256edc283294fb2351
SHA256f6459767fd63fad5a5bacde8a612f9598498d5877c014275c9e517486da99be3
SHA512cdfed2ad00cbd290821783106e9c1b895a042c6dd630981e53399492334acfa8ecadfe261d62558870e8a395f9aedfba1ad0b056aa7364fa5c4a5a481ac77796
-
C:\Users\Admin\AppData\Local\Temp\{26d7c48a-f8f8-5c99-06c3-142926215c5a}\NPCAP.infMD5
dd4d9bf2e91f295146c86d4bd6f4188e
SHA16b3d2af0b29b1b0ece0c6900fe11b7466f4c34af
SHA256f08b2844468196b265dd191ecdc3655071d8d91e0b755dece6789a8b9db6a48f
SHA512af5c1bf7b527ba0de691b6e38cb447a217cbaf575aa02fbf68eff096ab4eb8d3688b3fd730297b71e096400410e7101658ab0c72e2de13bfd0829eb9078bc70d
-
C:\Users\Admin\AppData\Local\Temp\{26d7c48a-f8f8-5c99-06c3-142926215c5a}\npcap.catMD5
74ff20bbd94ca641189d2fc126ef954b
SHA1af896f3b3bf24fe7e25f6310d9b1f6dd78e0174e
SHA256676d43897aad5faabd724d2f91cc9f0bcb711908d89fa8a017c274b6b2345a33
SHA5129dac93f72ecf741437bc80a67c63f555d4e737cd1c30c26497794dddb3abc879d024c41bb3079274a743b6e4b94f0cb5ccfa5caa2bd88842b5babc4d623fe1b6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2M4OBY27.txtMD5
625a6aabbea79cd1c8101b2b7df12ccb
SHA1d133d365bc8b4a6592c01bb4664c2968a2639068
SHA2562ca7d9f31c21726a4ac8ad316366cb654ce1bcddba5f3f0a39b637711fcd1426
SHA51232c495b7f7d90020ff63468c74353cea91ee39905df744df6f39dc0ec7de097cd5592c8ce594869d5ec0aa238d5774b7c5b7824e793acb9c55a98adf95232278
-
C:\Windows\INF\netloop.PNFMD5
55a7da53970a0103397966a2dbb54902
SHA140b5101a512d5d8b841814dca30220c3b6446d6c
SHA256ca1d4ab4b1244bb15f3094e8a024cebc2a4c396e2149c81328b7dda09edfa17f
SHA512682236521a195f4b976098ca85fddf94964f85ab6e02002358ec05764755cbc79df2743d3530a9c7d93a38e4326afa4f947ca5067115b29784b432fe43472d82
-
C:\Windows\INF\oem2.PNFMD5
b3cf362198fcf4abfd4766eb8301f1f7
SHA15f9e0a0bcf6706d05d50b074d109f6dc63bab8fa
SHA256c22ca551fa5fdc9c68f5c03fd13dcbad65012fa16b479f90eb4c645db88e8209
SHA5124a43c97a7bdebf883b7871d08a9e5f3a2407fe43defd90655eee3614fbf3d376e98280c5110604c5675b70f26a31853643d4e0448889b95a37e346afc63441fb
-
C:\Windows\INF\oem2.infMD5
dd4d9bf2e91f295146c86d4bd6f4188e
SHA16b3d2af0b29b1b0ece0c6900fe11b7466f4c34af
SHA256f08b2844468196b265dd191ecdc3655071d8d91e0b755dece6789a8b9db6a48f
SHA512af5c1bf7b527ba0de691b6e38cb447a217cbaf575aa02fbf68eff096ab4eb8d3688b3fd730297b71e096400410e7101658ab0c72e2de13bfd0829eb9078bc70d
-
C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\npcap.PNFMD5
3e47d192c510592de0bb23ad1609db1e
SHA1e0a2b41655096f3c4eabdbbaa81a3a79df0f4ce0
SHA25641fca19eb1c6255fe522e8f6fb687a5022585646b77a9234d596348bc71e7867
SHA512dbd3067b8cfab7a1173693e2722941a8d6f55c2bcc752c4549526155f76e74b75f56a61f03520000810daf81b990b9a692d6320da1bd9957b45f152c1c1d3bf1
-
C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\npcap.catMD5
74ff20bbd94ca641189d2fc126ef954b
SHA1af896f3b3bf24fe7e25f6310d9b1f6dd78e0174e
SHA256676d43897aad5faabd724d2f91cc9f0bcb711908d89fa8a017c274b6b2345a33
SHA5129dac93f72ecf741437bc80a67c63f555d4e737cd1c30c26497794dddb3abc879d024c41bb3079274a743b6e4b94f0cb5ccfa5caa2bd88842b5babc4d623fe1b6
-
C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\npcap.infMD5
dd4d9bf2e91f295146c86d4bd6f4188e
SHA16b3d2af0b29b1b0ece0c6900fe11b7466f4c34af
SHA256f08b2844468196b265dd191ecdc3655071d8d91e0b755dece6789a8b9db6a48f
SHA512af5c1bf7b527ba0de691b6e38cb447a217cbaf575aa02fbf68eff096ab4eb8d3688b3fd730297b71e096400410e7101658ab0c72e2de13bfd0829eb9078bc70d
-
C:\Windows\System32\DriverStore\INFCACHE.1MD5
9583adb80ed088dd1d9ae7c840ae312b
SHA11c41b62953b04c05a0e97762f05dacf28be8e310
SHA256247c3dffc61f8582759851df7ea94c1a7c19f0ed58e445c371c2a401aec66776
SHA512861ee7439eb133cddfd2ff5f3376bd2f4a0aeec77e31a862dd3d4fdb9efbe7e7a7529af7617731402f33fa417f628d3a767b935a43b8c91fe215e55f24c7eaa7
-
C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exeMD5
968e1c550c1254a3d5f63f4a78ac3b2b
SHA11b1427bf86c326e1f402887af5082653129cf03e
SHA256bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6
SHA512d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f
-
C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exeMD5
968e1c550c1254a3d5f63f4a78ac3b2b
SHA11b1427bf86c326e1f402887af5082653129cf03e
SHA256bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6
SHA512d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f
-
C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\cab2C04DDC374BD96EB5C8EB8208F2C7C92MD5
5c2a82f74a564f4bd605207dc8845b18
SHA1a3681d7e7cbc9e4cde84b85f55bdc94f079fa17f
SHA256c4766867d211cc60069f2bc088d80aecb64f1d62d0d1116993f34a22e62073cf
SHA512af19f506441db43096ee211864e7de39248975b8a18b5b99078b31ee0ed5e659b8838bac11499d0fe8bf971ffd73c50a3cbc01efa67e62ac192a6c041699b726
-
C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\cab5046A8AB272BF37297BB7928664C9503MD5
e76673ff437d9953e47bc7dff98cca82
SHA1b3b8cda5d4ae340fb381e06124da63f1f753fbdf
SHA2569ae5e7da815b59ba58b8d40d0438d96b02bcadde8d5afb4e359b2118ac968f95
SHA512003f2b8c5c8556a7fa1e12b49d2b36bdd0a8581e41952e9eda76bcf3cb85f546fbd8df242cc8d46d6ea0b79979d7a4ac0380100a17ed4c7e016be86fc21d9dd3
-
C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\vcRuntimeAdditional_x64MD5
c67f21677ad09aaec06560558d0b61e3
SHA1092eb8fafc5ae0105234112ea782be0147b6822e
SHA25613de3270d5ec9025c818089a2bd514d4dce1d784083ab36ca7350c4ec2a32737
SHA5127c46dc50be247d7927e9761927a04457565736d9c35bf81862e8131e5115766e404f2412ea176f4f7119c91eeb59ebf321cc04d54dc0cad55c811838d4098ad7
-
C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\vcRuntimeMinimum_x64MD5
1aadae6e83982688768731a678a37568
SHA118ec1cf86e1788d82ed5aabccf22747577f30edb
SHA256c646c4ccaedcf755e296027f34f40c0b50469f0358fdc6bb266b42fee94de58c
SHA5122dbde85f2c96bd127eabc8e1095fe6e9b232bd13335257e3a2a5c30c14e91a677c8c80a52386bfb9ab89f3dad42f4fc151bf0ddd31383a137a9631eb78f92b2e
-
C:\Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exeMD5
968e1c550c1254a3d5f63f4a78ac3b2b
SHA11b1427bf86c326e1f402887af5082653129cf03e
SHA256bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6
SHA512d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f
-
C:\Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exeMD5
968e1c550c1254a3d5f63f4a78ac3b2b
SHA11b1427bf86c326e1f402887af5082653129cf03e
SHA256bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6
SHA512d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f
-
C:\Windows\WindowsUpdate.logMD5
ee22ddd54e0a68b175680764fd593361
SHA1e3d910e471d2060a3fb37caf54986c118b1938e6
SHA2561a92835c1aae2fadc976d6651677399852dc4ff9e3ecee91f2cdbbe0feaa6ad9
SHA512b090aab144f7f1362403ff791018a98ed9a7e242561040c245a267eb4d902942561297b6e64717dc85cc511538d1912fbb81752252634e37179f01eeae284b90
-
\Program Files\Npcap\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
\Program Files\Npcap\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
\Program Files\Wireshark\Wireshark.exeMD5
947e65d88f29b9a6dab0e9d525aa6b6d
SHA1276fd55a7bba34bf79bdde3220c555222470e1b2
SHA256c4a7d8915de8c4443d9640b0dbdde6f9400453bd01012e5cee01a80e40b7ee8f
SHA5129293fc8b082f652918be490b550268564570c84bbd6a25b5e8f28c11e45d2734dc4f35d8c58fe1c85876c8c5f31c95e5dd2eed41e013802112d5f4927dda496b
-
\Program Files\Wireshark\Wireshark.exeMD5
947e65d88f29b9a6dab0e9d525aa6b6d
SHA1276fd55a7bba34bf79bdde3220c555222470e1b2
SHA256c4a7d8915de8c4443d9640b0dbdde6f9400453bd01012e5cee01a80e40b7ee8f
SHA5129293fc8b082f652918be490b550268564570c84bbd6a25b5e8f28c11e45d2734dc4f35d8c58fe1c85876c8c5f31c95e5dd2eed41e013802112d5f4927dda496b
-
\Program Files\Wireshark\npcap-1.00.exeMD5
fc8cb1b4677c90859af51c8c664e755d
SHA162f3d68f01f93c1b5b3f915a2781cd523394b944
SHA256488ab12e28e81d0dcf3d5d996f9cb676293f6f73b39e9c99476b5a44cec2250a
SHA512bbdc020bf97f75c8f63f09495e5580fcc77af342fe4866fcc12023d75d8ff73b0826c66a655b70f79588ab7a1b8eea0baf228305214a9b3ea60667799246dcaf
-
\Program Files\Wireshark\vcredist_x64.exeMD5
9f096b97d204078b443dbcbf18e0ebb0
SHA1a55510a8c9708b2c68b39cd50bbcaf86e2c885f0
SHA2564b5890eb1aefdf8dfa3234b5032147eb90f050c5758a80901b201ae969780107
SHA512c606a3ac915a62608b71bd3114a9725746f17a882420c38eaf905c3433a95187bff61013b8cf1af2013cc504ab07726758388beef2063709af253ffd2d7572ec
-
\Users\Admin\AppData\Local\Temp\nsn15F3.tmp\InstallOptions.dllMD5
09d8971beefefffd710030dd167a99e0
SHA1a0117786ad77213f3eb48cfdc3819786cb796b7d
SHA256caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95
SHA5123956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0
-
\Users\Admin\AppData\Local\Temp\nsn15F3.tmp\InstallOptions.dllMD5
09d8971beefefffd710030dd167a99e0
SHA1a0117786ad77213f3eb48cfdc3819786cb796b7d
SHA256caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95
SHA5123956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0
-
\Users\Admin\AppData\Local\Temp\nsn15F3.tmp\InstallOptions.dllMD5
09d8971beefefffd710030dd167a99e0
SHA1a0117786ad77213f3eb48cfdc3819786cb796b7d
SHA256caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95
SHA5123956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0
-
\Users\Admin\AppData\Local\Temp\nsn15F3.tmp\InstallOptions.dllMD5
09d8971beefefffd710030dd167a99e0
SHA1a0117786ad77213f3eb48cfdc3819786cb796b7d
SHA256caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95
SHA5123956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0
-
\Users\Admin\AppData\Local\Temp\nsn15F3.tmp\System.dllMD5
8cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
\Users\Admin\AppData\Local\Temp\nsn15F3.tmp\nsDialogs.dllMD5
ec9640b70e07141febbe2cd4cc42510f
SHA164a5e4b90e5fe62aa40e7ac9e16342ed066f0306
SHA256c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188
SHA51247605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\InstallOptions.dllMD5
d8bfba73978801ed5c291b847ae6ed0f
SHA1afd973df6c0fd92372b787f2a06a02fa4c03b877
SHA25675fca8af133756a0d36ad9b6177ef8ee01b6dd18ede216d82b2eb5f8092a84cd
SHA51262b921725c727247b96622765caa4ddec1126980e677764f9bdb5e68eae50044747f0ee99744c44b7a7253a57e3c28a2fc19a99d479787aa4944499871db92f2
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\InstallOptions.dllMD5
d8bfba73978801ed5c291b847ae6ed0f
SHA1afd973df6c0fd92372b787f2a06a02fa4c03b877
SHA25675fca8af133756a0d36ad9b6177ef8ee01b6dd18ede216d82b2eb5f8092a84cd
SHA51262b921725c727247b96622765caa4ddec1126980e677764f9bdb5e68eae50044747f0ee99744c44b7a7253a57e3c28a2fc19a99d479787aa4944499871db92f2
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exeMD5
f93eedcb0df2ef914ed51cc927a1fde9
SHA155056db79c0963883931e4c59222827129137c85
SHA2567b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3
SHA5129d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\SimpleSC.dllMD5
4a2b58bd7cab29463d9e53fcb9a252b6
SHA14679ba66db7989a64c41892bbb3f7cec38fb5597
SHA25618b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124
SHA512e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\SimpleSC.dllMD5
4a2b58bd7cab29463d9e53fcb9a252b6
SHA14679ba66db7989a64c41892bbb3f7cec38fb5597
SHA25618b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124
SHA512e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\SimpleSC.dllMD5
4a2b58bd7cab29463d9e53fcb9a252b6
SHA14679ba66db7989a64c41892bbb3f7cec38fb5597
SHA25618b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124
SHA512e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\System.dllMD5
6a2f80ed640b6c2458329c2d3f8d9e3f
SHA1c6dba02a05dbf15aa5de3ac1464bc9dce995eb80
SHA2561e981423fda8f74e9a7079675c1a6fe55c716d4c0d50fb03ea482ff7500db14b
SHA51200d49b1874d76b150a646ac40032b34608e548cfd806642982e446619c9852a0ab5389791468651c4d51d118aad502174e7b887c2b5b6a7a3e35ddd9bd50d722
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dllMD5
78bda400d7b80858c014fc79bd8fc49b
SHA1f5bb0e85ba892611cf79b3c2756e87a59e1e213c
SHA2566bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4
SHA51295a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dllMD5
78bda400d7b80858c014fc79bd8fc49b
SHA1f5bb0e85ba892611cf79b3c2756e87a59e1e213c
SHA2566bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4
SHA51295a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dllMD5
78bda400d7b80858c014fc79bd8fc49b
SHA1f5bb0e85ba892611cf79b3c2756e87a59e1e213c
SHA2566bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4
SHA51295a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dllMD5
78bda400d7b80858c014fc79bd8fc49b
SHA1f5bb0e85ba892611cf79b3c2756e87a59e1e213c
SHA2566bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4
SHA51295a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dllMD5
78bda400d7b80858c014fc79bd8fc49b
SHA1f5bb0e85ba892611cf79b3c2756e87a59e1e213c
SHA2566bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4
SHA51295a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dllMD5
78bda400d7b80858c014fc79bd8fc49b
SHA1f5bb0e85ba892611cf79b3c2756e87a59e1e213c
SHA2566bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4
SHA51295a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dllMD5
78bda400d7b80858c014fc79bd8fc49b
SHA1f5bb0e85ba892611cf79b3c2756e87a59e1e213c
SHA2566bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4
SHA51295a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc
-
\Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dllMD5
78bda400d7b80858c014fc79bd8fc49b
SHA1f5bb0e85ba892611cf79b3c2756e87a59e1e213c
SHA2566bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4
SHA51295a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc
-
\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.ba\wixstdba.dllMD5
eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exeMD5
968e1c550c1254a3d5f63f4a78ac3b2b
SHA11b1427bf86c326e1f402887af5082653129cf03e
SHA256bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6
SHA512d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f
-
\Windows\Temp\{6B31E9F4-6120-4A3F-AE5B-827EBD4DFA69}\.ba\wixstdba.dllMD5
eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
\Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exeMD5
968e1c550c1254a3d5f63f4a78ac3b2b
SHA11b1427bf86c326e1f402887af5082653129cf03e
SHA256bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6
SHA512d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f
-
memory/292-26-0x0000000000000000-mapping.dmp
-
memory/316-78-0x0000000000000000-mapping.dmp
-
memory/324-35-0x0000000001840000-0x0000000001844000-memory.dmpFilesize
16KB
-
memory/324-37-0x0000000001270000-0x0000000001274000-memory.dmpFilesize
16KB
-
memory/324-36-0x0000000001270000-0x0000000001274000-memory.dmpFilesize
16KB
-
memory/324-39-0x00000000025D0000-0x00000000025D4000-memory.dmpFilesize
16KB
-
memory/324-76-0x0000000002E50000-0x0000000002E54000-memory.dmpFilesize
16KB
-
memory/324-75-0x0000000000EC0000-0x0000000000EC4000-memory.dmpFilesize
16KB
-
memory/324-73-0x0000000002E50000-0x0000000002E54000-memory.dmpFilesize
16KB
-
memory/324-60-0x0000000000EC0000-0x0000000000EC4000-memory.dmpFilesize
16KB
-
memory/324-55-0x0000000000EC0000-0x0000000000EC4000-memory.dmpFilesize
16KB
-
memory/324-54-0x0000000000EC0000-0x0000000000EC4000-memory.dmpFilesize
16KB
-
memory/324-53-0x0000000000EC0000-0x0000000000EC4000-memory.dmpFilesize
16KB
-
memory/324-52-0x0000000001270000-0x0000000001274000-memory.dmpFilesize
16KB
-
memory/324-49-0x00000000025D0000-0x00000000025D4000-memory.dmpFilesize
16KB
-
memory/324-48-0x00000000025D0000-0x00000000025D4000-memory.dmpFilesize
16KB
-
memory/324-46-0x00000000025D0000-0x00000000025D4000-memory.dmpFilesize
16KB
-
memory/324-44-0x00000000025D0000-0x00000000025D4000-memory.dmpFilesize
16KB
-
memory/324-42-0x00000000025D0000-0x00000000025D4000-memory.dmpFilesize
16KB
-
memory/324-41-0x0000000001270000-0x0000000001274000-memory.dmpFilesize
16KB
-
memory/536-3-0x00000000065C0000-0x00000000066C1000-memory.dmpFilesize
1.0MB
-
memory/536-9-0x0000000006EF0000-0x0000000006EF1000-memory.dmpFilesize
4KB
-
memory/672-14-0x000007FEF6010000-0x000007FEF628A000-memory.dmpFilesize
2.5MB
-
memory/912-102-0x0000000000000000-mapping.dmp
-
memory/984-19-0x0000000000000000-mapping.dmp
-
memory/1028-111-0x0000000000000000-mapping.dmp
-
memory/1260-84-0x0000000000000000-mapping.dmp
-
memory/1264-107-0x0000000000000000-mapping.dmp
-
memory/1380-16-0x0000000000000000-mapping.dmp
-
memory/1468-21-0x0000000000000000-mapping.dmp
-
memory/1484-119-0x0000000000000000-mapping.dmp
-
memory/1484-98-0x0000000000000000-mapping.dmp
-
memory/1568-81-0x0000000000000000-mapping.dmp
-
memory/1744-93-0x0000000000000000-mapping.dmp
-
memory/1784-77-0x0000000000000000-mapping.dmp
-
memory/1908-113-0x0000000000000000-mapping.dmp
-
memory/2188-137-0x0000000000000000-mapping.dmp
-
memory/2236-143-0x0000000000DC0000-0x0000000000DE0000-memory.dmpFilesize
128KB
-
memory/2372-148-0x0000000000000000-mapping.dmp