Wireshark-win64-3.4.0.exe

General
Target

Wireshark-win64-3.4.0.exe

Filesize

58MB

Completed

20-11-2020 00:25

Score
9 /10
MD5

f427fe6703fdf785bae6274b9ff0cc7d

SHA1

e2dd1f2364d58f93fd44f7330a3068d5bed00154

SHA256

32113e083409de888468e0bfe74ba98e6d618f9685a56a06f15b0506fdf4e462

Malware Config
Signatures 25

Filter: none

Defense Evasion
Discovery
Persistence
  • Checks for common network interception software

    Description

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    Tags

    TTPs

  • Blacklisted process makes network request
    msiexec.exe

    Reported IOCs

    flowpidprocess
    6324msiexec.exe
  • Drops file in Drivers directory
    NPFInstall.exeDrvInst.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\DRIVERS\npcap.sysNPFInstall.exe
    File opened for modificationC:\Windows\system32\DRIVERS\SETE82D.tmpDrvInst.exe
    File createdC:\Windows\system32\DRIVERS\SETE82D.tmpDrvInst.exe
    File opened for modificationC:\Windows\system32\DRIVERS\loop.sysDrvInst.exe
    File opened for modificationC:\Windows\system32\DRIVERS\SETE070.tmpNPFInstall.exe
    File createdC:\Windows\system32\DRIVERS\SETE070.tmpNPFInstall.exe
  • Executes dropped EXE
    vcredist_x64.exevcredist_x64.exeVC_redist.x64.exenpcap-1.00.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exe

    Reported IOCs

    pidprocess
    1380vcredist_x64.exe
    1468vcredist_x64.exe
    292VC_redist.x64.exe
    1260npcap-1.00.exe
    1744NPFInstall.exe
    1264NPFInstall.exe
    1908NPFInstall.exe
    1484NPFInstall.exe
    2188NPFInstall.exe
  • Suspicious Office macro

    Description

    Office document equipped with 4.0 macros.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00030000000131b4-30.datoffice_xlm_macros
    behavioral1/files/0x00030000000131b5-32.datoffice_xlm_macros
  • Loads dropped DLL
    Wireshark-win64-3.4.0.exevcredist_x64.exevcredist_x64.exeVC_redist.x64.exenpcap-1.00.exe

    Reported IOCs

    pidprocess
    536Wireshark-win64-3.4.0.exe
    536Wireshark-win64-3.4.0.exe
    536Wireshark-win64-3.4.0.exe
    536Wireshark-win64-3.4.0.exe
    536Wireshark-win64-3.4.0.exe
    536Wireshark-win64-3.4.0.exe
    536Wireshark-win64-3.4.0.exe
    1380vcredist_x64.exe
    1468vcredist_x64.exe
    1468vcredist_x64.exe
    316VC_redist.x64.exe
    536Wireshark-win64-3.4.0.exe
    1260npcap-1.00.exe
    1260npcap-1.00.exe
    1260npcap-1.00.exe
    1260npcap-1.00.exe
    1200
    1260npcap-1.00.exe
    1260npcap-1.00.exe
    1260npcap-1.00.exe
    1260npcap-1.00.exe
    1432
    1260npcap-1.00.exe
    1148
    1260npcap-1.00.exe
    520
    1328
    1260npcap-1.00.exe
    2204
    1260npcap-1.00.exe
    1260npcap-1.00.exe
    1260npcap-1.00.exe
    1260npcap-1.00.exe
    1260npcap-1.00.exe
    536Wireshark-win64-3.4.0.exe
    536Wireshark-win64-3.4.0.exe
  • Adds Run key to start application
    VC_redist.x64.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceVC_redist.x64.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{0f770e99-3916-4b0c-8f9b-83822826bcbf} = "\"C:\\ProgramData\\Package Cache\\{0f770e99-3916-4b0c-8f9b-83822826bcbf}\\VC_redist.x64.exe\" /burn.runonce"VC_redist.x64.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates connected drives
    msiexec.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\B:msiexec.exe
    File opened (read-only)\??\E:msiexec.exe
    File opened (read-only)\??\I:msiexec.exe
    File opened (read-only)\??\L:msiexec.exe
    File opened (read-only)\??\M:msiexec.exe
    File opened (read-only)\??\O:msiexec.exe
    File opened (read-only)\??\R:msiexec.exe
    File opened (read-only)\??\U:msiexec.exe
    File opened (read-only)\??\V:msiexec.exe
    File opened (read-only)\??\A:msiexec.exe
    File opened (read-only)\??\G:msiexec.exe
    File opened (read-only)\??\S:msiexec.exe
    File opened (read-only)\??\Z:msiexec.exe
    File opened (read-only)\??\F:msiexec.exe
    File opened (read-only)\??\H:msiexec.exe
    File opened (read-only)\??\J:msiexec.exe
    File opened (read-only)\??\K:msiexec.exe
    File opened (read-only)\??\Q:msiexec.exe
    File opened (read-only)\??\T:msiexec.exe
    File opened (read-only)\??\N:msiexec.exe
    File opened (read-only)\??\P:msiexec.exe
    File opened (read-only)\??\W:msiexec.exe
    File opened (read-only)\??\X:msiexec.exe
    File opened (read-only)\??\Y:msiexec.exe
  • JavaScript code in executable

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x0003000000013156-15.datjs
    behavioral1/files/0x0003000000013156-18.datjs
    behavioral1/files/0x0003000000013156-17.datjs
    behavioral1/files/0x000300000001316d-20.datjs
    behavioral1/files/0x000300000001316d-22.datjs
    behavioral1/files/0x000300000001316d-23.datjs
    behavioral1/files/0x00030000000131ac-25.datjs
    behavioral1/files/0x00030000000131ac-27.datjs
    behavioral1/files/0x00030000000131ac-28.datjs
    behavioral1/files/0x00030000000131b4-30.datjs
    behavioral1/files/0x00030000000131b5-32.datjs
    behavioral1/files/0x00040000000131af-80.datjs
    behavioral1/files/0x00050000000132ea-151.datjs
    behavioral1/files/0x00050000000132ea-152.datjs
  • Drops file in System32 directory
    npcap-1.00.exeDrvInst.exeNPFInstall.exemsiexec.exeDrvInst.exeNPFInstall.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\system32\WlanHelper.exenpcap-1.00.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\npcap.PNFDrvInst.exe
    File opened for modificationC:\Windows\System32\DriverStore\infpub.datNPFInstall.exe
    File opened for modificationC:\Windows\system32\vcomp140.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfcm140.dllmsiexec.exe
    File createdC:\Windows\SysWOW64\Packet.dllnpcap-1.00.exe
    File createdC:\Windows\system32\Npcap\WlanHelper.exenpcap-1.00.exe
    File opened for modificationC:\Windows\System32\DriverStore\infpub.datDrvInst.exe
    File opened for modificationC:\Windows\system32\mfc140.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140chs.dllmsiexec.exe
    File createdC:\Windows\SysWOW64\wpcap.dllnpcap-1.00.exe
    File createdC:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\SETCBD7.tmpDrvInst.exe
    File opened for modificationC:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\SETCBE8.tmpDrvInst.exe
    File createdC:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\SETCBE9.tmpDrvInst.exe
    File opened for modificationC:\Windows\System32\DriverStore\infstor.datDrvInst.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\NPCAP.PNFDrvInst.exe
    File opened for modificationC:\Windows\system32\mfc140rus.dllmsiexec.exe
    File createdC:\Windows\system32\mfcm140u.dllmsiexec.exe
    File createdC:\Windows\SysWOW64\NpcapHelper.exenpcap-1.00.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\netloop.PNFDrvInst.exe
    File opened for modificationC:\Windows\System32\DriverStore\infstrng.datDrvInst.exe
    File createdC:\Windows\SysWOW64\WlanHelper.exenpcap-1.00.exe
    File createdC:\Windows\SysWOW64\Npcap\NpcapHelper.exenpcap-1.00.exe
    File opened for modificationC:\Windows\system32\mfc140cht.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140deu.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140esn.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\vcruntime140.dllmsiexec.exe
    File opened for modificationC:\Windows\System32\DriverStore\infstrng.datDrvInst.exe
    File createdC:\Windows\system32\msvcp140_2.dllmsiexec.exe
    File createdC:\Windows\system32\vcamp140.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140deu.dllmsiexec.exe
    File createdC:\Windows\system32\Packet.dllnpcap-1.00.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\npcap.PNFDrvInst.exe
    File opened for modificationC:\Windows\system32\msvcp140_2.dllmsiexec.exe
    File createdC:\Windows\system32\vcomp140.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfcm140u.dllmsiexec.exe
    File opened for modificationC:\Windows\System32\DriverStore\infpub.datDrvInst.exe
    File createdC:\Windows\system32\mfc140cht.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140kor.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140rus.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140enu.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140jpn.dllmsiexec.exe
    File createdC:\Windows\system32\mfcm140.dllmsiexec.exe
    File opened for modificationC:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\SETCBD7.tmpDrvInst.exe
    File opened for modificationC:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}DrvInst.exe
    File createdC:\Windows\system32\msvcp140_1.dllmsiexec.exe
    File createdC:\Windows\system32\msvcp140_codecvt_ids.dllmsiexec.exe
    File createdC:\Windows\system32\vcruntime140_1.dllmsiexec.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\netloop.PNFNPFInstall.exe
    File createdC:\Windows\SysWOW64\Npcap\Packet.dllnpcap-1.00.exe
    File opened for modificationC:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\npcap.catDrvInst.exe
    File createdC:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\SETCBE8.tmpDrvInst.exe
    File opened for modificationC:\Windows\System32\DriverStore\Temp\{76b4d8b7-6b0f-518a-e4e3-ce3617bccc74}\NPCAP.infDrvInst.exe
    File createdC:\Windows\system32\concrt140.dllmsiexec.exe
    File createdC:\Windows\system32\msvcp140.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140fra.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140jpn.dllmsiexec.exe
    File createdC:\Windows\SysWOW64\Npcap\WlanHelper.exenpcap-1.00.exe
    File createdC:\Windows\system32\Npcap\wpcap.dllnpcap-1.00.exe
    File opened for modificationC:\Windows\System32\DriverStore\infpub.datNPFInstall.exe
    File opened for modificationC:\Windows\system32\mfc140chs.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140fra.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140ita.dllmsiexec.exe
    File createdC:\Windows\system32\Npcap\Packet.dllnpcap-1.00.exe
  • Modifies service
    vssvc.exeNPFInstall.exeDrvInst.exeNPFInstall.exenpcap-1.00.exeDrvInst.exeVC_redist.x64.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\IDENTIFY (Enter) = 4800000000000000a038ae0fd4bed601d8070000b0010000e80300000100000005000000000000000000000000000000000000000000000000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE (Leave) = 4800000000000000a0f3f110d4bed601d8070000f8030000eb03000000000000000000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000vssvc.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap\Parameters\NdisImPlatformBindingOptions = "0"NPFInstall.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_FRONT (Enter) = 4800000000000000407a89f8d3bed601d8070000ec040000ec030000010000000000000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Leave) = 4800000000000000a05c26fbd3bed601d80700000c070000f5030000000000000400000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TCPIP6\ParametersNPFInstall.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage\Route = 220053006d006200220020002200540063007000690070002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0022000000220053006d006200220020002200540063007000690070002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0022000000220053006d0062002200200022005400630070006900700036002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0022000000220053006d0062002200200022005400630070006900700036002200200022007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d0022000000220053006d0062002200200022005400630070006900700036002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d00220000002200540063007000690070002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d00220000002200540063007000690070002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d002200000022005400630070006900700036002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022005400630070006900700036002200200022007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d002200000022005400630070006900700036002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d002200000022004e0065007400620069006f00730053006d0062002200000022004e006500740042005400220020002200540063007000690070002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022004e006500740042005400220020002200540063007000690070002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d00220000000000DrvInst.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetBTDrvInst.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetBT\ParametersNPFInstall.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\FREEZE (Leave) = 4800000000000000e04fe6f8d3bed601d80700004c020000eb030000000000000200000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_RM (Enter) = 4800000000000000c001d310d4bed601d8070000f8030000ef03000001000000000000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\0DrvInst.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\1\Ipv6\ProtocolId = "87"DrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\IDENTIFY (Leave) = 480000000000000060f09f0fd4bed601d8070000b0010000e80300000000000005000000000000000000000000000000000000000000000000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_STABLE (SetCurrentState) = 4800000000000000a04ed40fd4bed601d8070000b00100000100000001000000010000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap_wifi\Linkage\Export = 5c004400650076006900630065005c006e00700063006100700077006900660069005f007b00370031004600380039003700440037002d0045004200370043002d0034004400380044002d0038003900440042002d004100430038003000440039004400440032003200370030007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00450034003300440032003400320042002d0039004500410042002d0034003600320036002d0041003900350032002d003400360036003400390046004200420039003300390041007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00440046003400410039004400320043002d0038003700340032002d0034004500420031002d0038003700300033002d004400330039003500430034003100380033004600330033007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00380045003300300031004100350032002d0041004600460041002d0034004600340039002d0042003900430041002d004300370039003000390036004100310041003000350036007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00370038003000330032004200370045002d0034003900360038002d0034003200440033002d0039004600330037002d003200380037004500410038003600430030004100410041007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00320039003800390038004300390044002d0042003000410034002d0034004600450046002d0042004400420036002d003500370041003500360032003000320032004300450045007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c006e00700063006100700077006900660069005f004e00640069007300570061006e004900700000005c004400650076006900630065005c006e00700063006100700077006900660069005f004e00640069007300570061006e004200680000005c004400650076006900630065005c006e00700063006100700077006900660069005f004e00640069007300570061006e00490070007600360000000000NPFInstall.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Leave) = 480000000000000060568afbd3bed601d80700000c070000fb030000000000000500000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\THAW (Enter) = 480000000000000020a54711d4bed601d80700000c070000f203000001000000030000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Leave) = 480000000000000020a54711d4bed601d80700002c080000fc03000000000000030000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap_wifi\Parameters\Adapters\{DF4A9D2C-8742-4EB1-8703-D395C4183F33}NPFInstall.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\lltdio\Linkage\Export = 5c004400650076006900630065005c006c006c007400640069006f005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c006c006c007400640069006f005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000000000DrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RasPppoe\Linkage\Export = 5c004400650076006900630065005c005200610073005000700070006f0065005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c005200610073005000700070006f0065005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000000000DrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Leave) = 4800000000000000801267f7d3bed601d8070000b001000001040000000000000000000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Leave) = 480000000000000080f6acfad3bed601d80700004c020000f2030000000000000300000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Enter) = 4800000000000000e08bcf0fd4bed601d8070000f0050000e903000001000000050000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Leave) = 4800000000000000c0383211d4bed601d8070000f8030000fd03000000000000000000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000vssvc.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap\Parameters\WinPcapCompatible = "1"npcap-1.00.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\msloopDrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetBIOS\Linkage\Route = 22004e006500740042005400220020002200540063007000690070002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022004e006500740042005400220020002200540063007000690070002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d002200000022004e0065007400420054002200200022005400630070006900700036002200200022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d00220000000000DrvInst.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\RouterManagers\Stamp = "0"DrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage\Export = 5c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f0053006d0062005f00540063007000690070005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f0053006d0062005f00540063007000690070005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f0053006d0062005f005400630070006900700036005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f0053006d0062005f005400630070006900700036005f007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f0053006d0062005f005400630070006900700036005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f00540063007000690070005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f00540063007000690070005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f005400630070006900700036005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f005400630070006900700036005f007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f005400630070006900700036005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400620069006f00730053006d00620000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f00540063007000690070005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f00540063007000690070005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f005400630070006900700036005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f005400630070006900700036005f007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f005400630070006900700036005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000000000DrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Linkage\Route = 22007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d002200000022007b00420045004200360030004100390041002d0039004200310031002d0034003400300031002d0039003300330043002d003400380034003200360042003700390034003300410039007d002200000022007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d00220000000000DrvInst.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\LinkageDrvInst.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\3\Ipv6\ProtocolId = "87"DrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000407a89f8d3bed601d80700004c02000002000000010000000100000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ndisuio\LinkageDrvInst.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\1\IpDrvInst.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\{FADFD64F-966B-4C29-B674-20CD035EF0EB}\Parameters\TcpipDrvInst.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\{FADFD64F-966B-4C29-B674-20CD035EF0EB}\ParametersDrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Enter) = 4800000000000000c05a75f7d3bed601d8070000c4060000e9030000010000000100000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{495fd7e4-1989-11eb-abf9-806e6f6e6963}_)\OPEN_VOLUME_HANDLE (Leave) = 4800000000000000c0bad6f9d3bed601d80700008c070000fd030000000000000000000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Enter) = 4800000000000000c001d310d4bed601d8070000f8030000f003000001000000000000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 4800000000000000a01f3e11d4bed601e0070000b4050000d50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000DrvInst.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\1\Ipv6DrvInst.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\2\Ipv6\ProtocolId = "87"DrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 4800000000000000206195f8d3bed601d80700005404000003000000010000000200000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore\SrCreateRp (Enter) = 4800000000000000c051a20fd4bed601e0070000b4050000d50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Enter) = 4800000000000000e08bcf0fd4bed601d8070000b0010000e903000001000000050000000000000038c679f2abda074496d95d05916109c800000000000000000000000000000000vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NdisWan\LinkageNPFInstall.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetBT\ParametersDrvInst.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\3DrvInst.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\3\Stamp = "0"DrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Enter) = 4800000000000000a02b5bf7d3bed601d8070000f0050000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 400000000000000060c792fad3bed601240100004c040000d5070000010000000000000000000000000000000000000000000000000000000000000000000000VC_redist.x64.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000c0b78cfbd3bed601d80700004c020000fb030000000000000500000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap\Parameters\Adapters\{29898C9D-B0A4-4FEF-BDB6-57A562022CEE}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501341}-0000NPFInstall.exe
    Set value (str)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{C84EC2BE-72CF-42F6-A0CE-14B33FCE5624}\DomainDrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\IDENTIFY (Leave) = 480000000000000060ee5ff7d3bed601d8070000c8070000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\GETSTATE (Leave) = 4800000000000000a04c94f7d3bed601d8070000c8070000f9030000000000000100000000000000d624c7886ec9fd4bbf1c261a6e28cee300000000000000000000000000000000vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap_wifi\Parameters\Adapters\{8E301A52-AFFA-4F49-B9CA-C79096A1A056}\{7DAF2AC8-E9F6-4765-A842-F1F5D2501351}-0000NPFInstall.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rspndr\Linkage\Export = 5c004400650076006900630065005c007200730070006e00640072005f007b00460041004400460044003600340046002d0039003600360042002d0034004300320039002d0042003600370034002d003200300043004400300033003500450046003000450042007d0000005c004400650076006900630065005c007200730070006e00640072005f007b00430038003400450043003200420045002d0037003200430046002d0034003200460036002d0041003000430045002d003100340042003300330046004300450035003600320034007d0000000000DrvInst.exe
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Interfaces\2DrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Dhcp\Configurations\Options = 32000000000000000400000000000000ffffff7f0000000001000000000000000400000000000000ffffff7f00000000DrvInst.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\npcap\Parameters\Adapters\{5BF54C7E-91DA-457D-80BF-333677D7E316}NPFInstall.exe
  • Drops file in Program Files directory
    Wireshark-win64-3.4.0.exeNPFInstall.exenpcap-1.00.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Program Files\Wireshark\snmp\mibs\NETWORK-SERVICES-MIBWireshark-win64-3.4.0.exe
    File opened for modificationC:\Program Files\Npcap\NPFInstall.logNPFInstall.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\DISMAN-SCRIPT-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\IPMCAST-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\TN3270E-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\diameter\mobileipv4.xmlWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.sonicwallWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\RFC1269-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\CAPWAP-DOT11-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\OSPFV3-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\FRAMEWORK-TC-PIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\libgmp-10.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\manufWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.rfc6929Wireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\RMON2-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\ROHC-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\RTP-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionaryWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\translations\qt_it.qmWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\IPMROUTE-STD-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\dtds\smil.dtdWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\translations\qt_zh_TW.qmWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\IANAifType-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\APPN-TRAP-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\SIP-UA-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.netscreenWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.quintumWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.rfc5580Wireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\DS3-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\ietf-inet-types.yangWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.garderosWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.perleWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.zeusWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.freeswitchWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\IANA-PRINTER-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\DIFFSERV-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\RFC1213-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\IPSEC-POLICY-PIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.alcatel.srWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.dhcpWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.digiumWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.wimax.wichorusWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\plugins\3.4\wiretap\usbdump.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\IANA-IPPM-METRICS-REGISTRY-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\FR-ATM-PVC-SERVICE-IWF-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\SNMP-TLS-TM-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\init.luaWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\diameter\VerizonWireless.xmlWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.karlnetWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\T11-FC-FABRIC-ADDR-MGR-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\ACCESSBIND-PIB-origWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\translations\qt_he.qmWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\ROHC-RTP-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\SNMP-USM-AES-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\pcre.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.audiocodesWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Npcap\FixInstall.batnpcap-1.00.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.itkWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\profiles\Bluetooth\colorfiltersWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\DS0-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\FR-MFR-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\snmp\mibs\MPLS-TE-STD-MIBWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\wireshark.htmlWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\diameter\sunping.xmlWireshark-win64-3.4.0.exe
  • Drops file in Windows directory
    DrvInst.exemsiexec.exeNPFInstall.exeVC_redist.x64.exepnputil.exeDrvInst.exeDrvInst.exeNPFInstall.exeDrvInst.exeVC_redist.x64.exeNPFInstall.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\INF\setupapi.dev.logDrvInst.exe
    File createdC:\Windows\Installer\f7548e3.msimsiexec.exe
    File opened for modificationC:\Windows\Installer\MSI5B36.tmpmsiexec.exe
    File opened for modificationC:\Windows\Installer\MSI5DD7.tmpmsiexec.exe
    File opened for modificationC:\Windows\INF\setupapi.dev.logNPFInstall.exe
    File opened for modificationC:\Windows\INF\setupapi.ev3DrvInst.exe
    File opened for modificationC:\Windows\Installer\MSI50C3.tmpmsiexec.exe
    File createdC:\Windows\Installer\f7548e5.ipimsiexec.exe
    File opened for modificationC:\Windows\Installer\f7548e5.ipimsiexec.exe
    File opened for modificationC:\Windows\WindowsUpdate.logVC_redist.x64.exe
    File createdC:\Windows\INF\oem1.PNFpnputil.exe
    File opened for modificationC:\Windows\INF\setupapi.dev.logDrvInst.exe
    File opened for modificationC:\Windows\Installer\f7548d3.msimsiexec.exe
    File opened for modificationC:\Windows\INF\setupapi.app.logNPFInstall.exe
    File opened for modificationC:\Windows\INF\setupapi.ev3DrvInst.exe
    File opened for modificationC:\Windows\INF\setupapi.ev1DrvInst.exe
    File opened for modificationC:\Windows\INF\setupapi.dev.logDrvInst.exe
    File createdC:\Windows\INF\oem2.PNFNPFInstall.exe
    File opened for modificationC:\Windows\INF\setupapi.ev3DrvInst.exe
    File opened for modificationC:\Windows\INF\setupapi.ev2DrvInst.exe
    File opened for modificationC:\Windows\INF\setupapi.dev.logNPFInstall.exe
    File createdC:\Windows\Installer\f7548d3.msimsiexec.exe
    File createdC:\Windows\Installer\f7548d5.ipimsiexec.exe
    File opened for modificationC:\Windows\INF\setupapi.dev.logDrvInst.exe
    File createdC:\Windows\INF\oem2.infDrvInst.exe
    File opened for modificationC:\Windows\INF\oem2.infDrvInst.exe
    File opened for modificationC:\Windows\INF\setupapi.ev1DrvInst.exe
    File opened for modificationC:\Windows\Installer\MSI52D8.tmpmsiexec.exe
    File opened for modificationC:\Windows\Installer\f7548e3.msimsiexec.exe
    File createdC:\Windows\Installer\f7548f7.msimsiexec.exe
    File opened for modificationC:\Windows\INF\setupapi.ev1DrvInst.exe
    File opened for modificationC:\Windows\INF\setupapi.app.logNPFInstall.exe
    File opened for modificationC:\Windows\WindowsUpdate.logVC_redist.x64.exe
    File createdC:\Windows\INF\oem0.PNFpnputil.exe
    File createdC:\Windows\Installer\f7548e2.msimsiexec.exe
    File opened for modificationC:\Windows\Installer\f7548d5.ipimsiexec.exe
    File opened for modificationC:\Windows\INF\setupapi.app.logNPFInstall.exe
    File opened for modificationC:\Windows\inf\netloop.PNFNPFInstall.exe
    File opened for modificationC:\Windows\Installer\msiexec.exe
  • NSIS installer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00030000000132e9-83.datnsis_installer_1
    behavioral1/files/0x00030000000132e9-83.datnsis_installer_2
    behavioral1/files/0x00030000000132e9-85.datnsis_installer_1
    behavioral1/files/0x00030000000132e9-85.datnsis_installer_2
    behavioral1/files/0x00030000000132e9-86.datnsis_installer_1
    behavioral1/files/0x00030000000132e9-86.datnsis_installer_2
  • Creates scheduled task(s)
    SCHTASKS.EXE

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    2372SCHTASKS.EXE
  • Modifies Internet Explorer settings
    iexplore.exeIEXPLORE.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2D2065C1-2AC7-11EB-A7D7-E6A19248D3FE} = "0"iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNamesiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312597033"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestioniexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbariexplore.exe
  • Modifies data under HKEY_USERS
    DrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exemsiexec.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeopleDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRootDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trustDrvInst.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MyDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trustDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CertificatesDrvInst.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeopleDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\27msiexec.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CADrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLsDrvInst.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software PublishingDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\DisallowedDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLsDrvInst.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication"DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software PublishingDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisherDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CertificatesDrvInst.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLsDrvInst.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"DrvInst.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CertificatesDrvInst.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516."DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CADrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\DisallowedDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLsDrvInst.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E\@netcfgx.dll,-50003 = "Allows other computers to access resources on your computer using a Microsoft network."DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLsDrvInst.exe
  • Modifies registry class
    msiexec.exeWireshark-win64-3.4.0.exeVC_redist.x64.exeVC_redist.x64.exe

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\Clients = 3a0000000000msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.acp\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.enc\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.ntarWireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.pklg\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.pkt\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.vwr\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\57987521567CFDB4D8CD2348CBE058F5msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.atc\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\Media\1 = ";"msiexec.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.apc\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.syc\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.tpc\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.trc\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\ProductName = "Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.27.29112"msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.out\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.rf5\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53msiexec.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\DeploymentFlags = "3"msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.ipfix\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2019 X64 Additional Runtime - 14.27.29112"msiexec.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\InstanceType = "0"msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\SourceListmsiexec.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.21,bundle\Dependents\{F4220B74-9EDD-4DED-BC8B-0342C1E164D8}VC_redist.x64.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.5vw\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceListmsiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.27,bundle\Dependents\{0f770e99-3916-4b0c-8f9b-83822826bcbf}VC_redist.x64.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\Language = "1033"msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\Netmsiexec.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\57987521567CFDB4D8CD2348CBE058F5\SourceList\Netmsiexec.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\AuthorizedLUAApp = "0"msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.bfr\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.cap\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.27,bundleVC_redist.x64.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.acpWireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.tr1Wireshark-win64-3.4.0.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\57987521567CFDB4D8CD2348CBE058F5\SourceList\Mediamsiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6671BB73785CEA942BBD16F8DBAE8BC8\Servicing_Keymsiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\Mediamsiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{1B4EDD59-90CE-4BDE-8520-630981088165}"msiexec.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\Assignment = "1"msiexec.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{F4220B74-9EDD-4DED-BC8B-0342C1E164D8}VC_redist.x64.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.5vwWireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.erf\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.27,bundle\ = "{0f770e99-3916-4b0c-8f9b-83822826bcbf}"VC_redist.x64.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{37BB1766-C587-49AE-B2DB-618FBDEAB88C}"msiexec.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD7CAC7F4253D2C47ABD1E16043A5D6E\SourceList\Netmsiexec.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\Clients = 3a0000000000msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.sycWireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.trcWireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.wpzWireshark-win64-3.4.0.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\AdvertiseFlags = "388"msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{0f770e99-3916-4b0c-8f9b-83822826bcbf}VC_redist.x64.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.apcWireshark-win64-3.4.0.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\57987521567CFDB4D8CD2348CBE058F5\SourceListmsiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6671BB73785CEA942BBD16F8DBAE8BC8msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DDE4B1EC09EDB45802369018801856\VC_Runtime_Additionalmsiexec.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\AdvertiseFlags = "388"msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open\commandWireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.fdcWireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.27,bundle\Version = "14.27.29112.0"VC_redist.x64.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{37BB1766-C587-49AE-B2DB-618FBDEAB88C}v14.27.29112\\packages\\vcRuntimeMinimum_amd64\\"msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\SourceList\Netmsiexec.exe
  • Suspicious behavior: EnumeratesProcesses
    msiexec.exeNPFInstall.exe

    Reported IOCs

    pidprocess
    324msiexec.exe
    324msiexec.exe
    324msiexec.exe
    324msiexec.exe
    324msiexec.exe
    324msiexec.exe
    324msiexec.exe
    324msiexec.exe
    1744NPFInstall.exe
  • Suspicious behavior: LoadsDriver

    Reported IOCs

    pidprocess
    460
    460
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exeDrvInst.exeVC_redist.x64.exemsiexec.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege2008vssvc.exe
    Token: SeRestorePrivilege2008vssvc.exe
    Token: SeAuditPrivilege2008vssvc.exe
    Token: SeRestorePrivilege1272DrvInst.exe
    Token: SeRestorePrivilege1272DrvInst.exe
    Token: SeRestorePrivilege1272DrvInst.exe
    Token: SeRestorePrivilege1272DrvInst.exe
    Token: SeRestorePrivilege1272DrvInst.exe
    Token: SeRestorePrivilege1272DrvInst.exe
    Token: SeRestorePrivilege1272DrvInst.exe
    Token: SeLoadDriverPrivilege1272DrvInst.exe
    Token: SeLoadDriverPrivilege1272DrvInst.exe
    Token: SeLoadDriverPrivilege1272DrvInst.exe
    Token: SeShutdownPrivilege292VC_redist.x64.exe
    Token: SeIncreaseQuotaPrivilege292VC_redist.x64.exe
    Token: SeRestorePrivilege324msiexec.exe
    Token: SeTakeOwnershipPrivilege324msiexec.exe
    Token: SeSecurityPrivilege324msiexec.exe
    Token: SeCreateTokenPrivilege292VC_redist.x64.exe
    Token: SeAssignPrimaryTokenPrivilege292VC_redist.x64.exe
    Token: SeLockMemoryPrivilege292VC_redist.x64.exe
    Token: SeIncreaseQuotaPrivilege292VC_redist.x64.exe
    Token: SeMachineAccountPrivilege292VC_redist.x64.exe
    Token: SeTcbPrivilege292VC_redist.x64.exe
    Token: SeSecurityPrivilege292VC_redist.x64.exe
    Token: SeTakeOwnershipPrivilege292VC_redist.x64.exe
    Token: SeLoadDriverPrivilege292VC_redist.x64.exe
    Token: SeSystemProfilePrivilege292VC_redist.x64.exe
    Token: SeSystemtimePrivilege292VC_redist.x64.exe
    Token: SeProfSingleProcessPrivilege292VC_redist.x64.exe
    Token: SeIncBasePriorityPrivilege292VC_redist.x64.exe
    Token: SeCreatePagefilePrivilege292VC_redist.x64.exe
    Token: SeCreatePermanentPrivilege292VC_redist.x64.exe
    Token: SeBackupPrivilege292VC_redist.x64.exe
    Token: SeRestorePrivilege292VC_redist.x64.exe
    Token: SeShutdownPrivilege292VC_redist.x64.exe
    Token: SeDebugPrivilege292VC_redist.x64.exe
    Token: SeAuditPrivilege292VC_redist.x64.exe
    Token: SeSystemEnvironmentPrivilege292VC_redist.x64.exe
    Token: SeChangeNotifyPrivilege292VC_redist.x64.exe
    Token: SeRemoteShutdownPrivilege292VC_redist.x64.exe
    Token: SeUndockPrivilege292VC_redist.x64.exe
    Token: SeSyncAgentPrivilege292VC_redist.x64.exe
    Token: SeEnableDelegationPrivilege292VC_redist.x64.exe
    Token: SeManageVolumePrivilege292VC_redist.x64.exe
    Token: SeImpersonatePrivilege292VC_redist.x64.exe
    Token: SeCreateGlobalPrivilege292VC_redist.x64.exe
    Token: SeRestorePrivilege324msiexec.exe
    Token: SeTakeOwnershipPrivilege324msiexec.exe
    Token: SeRestorePrivilege324msiexec.exe
    Token: SeTakeOwnershipPrivilege324msiexec.exe
    Token: SeRestorePrivilege324msiexec.exe
    Token: SeTakeOwnershipPrivilege324msiexec.exe
    Token: SeRestorePrivilege324msiexec.exe
    Token: SeTakeOwnershipPrivilege324msiexec.exe
    Token: SeRestorePrivilege324msiexec.exe
    Token: SeTakeOwnershipPrivilege324msiexec.exe
    Token: SeRestorePrivilege324msiexec.exe
    Token: SeTakeOwnershipPrivilege324msiexec.exe
    Token: SeRestorePrivilege324msiexec.exe
    Token: SeTakeOwnershipPrivilege324msiexec.exe
    Token: SeRestorePrivilege324msiexec.exe
    Token: SeTakeOwnershipPrivilege324msiexec.exe
    Token: SeRestorePrivilege324msiexec.exe
  • Suspicious use of FindShellTrayWindow
    iexplore.exe

    Reported IOCs

    pidprocess
    592iexplore.exe
  • Suspicious use of SetWindowsHookEx
    iexplore.exeIEXPLORE.EXE

    Reported IOCs

    pidprocess
    592iexplore.exe
    592iexplore.exe
    984IEXPLORE.EXE
    984IEXPLORE.EXE
    984IEXPLORE.EXE
    984IEXPLORE.EXE
  • Suspicious use of WriteProcessMemory
    Wireshark-win64-3.4.0.exeiexplore.exevcredist_x64.exevcredist_x64.exeVC_redist.x64.exeVC_redist.x64.exeVC_redist.x64.exenpcap-1.00.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 536 wrote to memory of 1380536Wireshark-win64-3.4.0.exevcredist_x64.exe
    PID 536 wrote to memory of 1380536Wireshark-win64-3.4.0.exevcredist_x64.exe
    PID 536 wrote to memory of 1380536Wireshark-win64-3.4.0.exevcredist_x64.exe
    PID 536 wrote to memory of 1380536Wireshark-win64-3.4.0.exevcredist_x64.exe
    PID 536 wrote to memory of 1380536Wireshark-win64-3.4.0.exevcredist_x64.exe
    PID 536 wrote to memory of 1380536Wireshark-win64-3.4.0.exevcredist_x64.exe
    PID 536 wrote to memory of 1380536Wireshark-win64-3.4.0.exevcredist_x64.exe
    PID 592 wrote to memory of 984592iexplore.exeIEXPLORE.EXE
    PID 592 wrote to memory of 984592iexplore.exeIEXPLORE.EXE
    PID 592 wrote to memory of 984592iexplore.exeIEXPLORE.EXE
    PID 592 wrote to memory of 984592iexplore.exeIEXPLORE.EXE
    PID 1380 wrote to memory of 14681380vcredist_x64.exevcredist_x64.exe
    PID 1380 wrote to memory of 14681380vcredist_x64.exevcredist_x64.exe
    PID 1380 wrote to memory of 14681380vcredist_x64.exevcredist_x64.exe
    PID 1380 wrote to memory of 14681380vcredist_x64.exevcredist_x64.exe
    PID 1380 wrote to memory of 14681380vcredist_x64.exevcredist_x64.exe
    PID 1380 wrote to memory of 14681380vcredist_x64.exevcredist_x64.exe
    PID 1380 wrote to memory of 14681380vcredist_x64.exevcredist_x64.exe
    PID 1468 wrote to memory of 2921468vcredist_x64.exeVC_redist.x64.exe
    PID 1468 wrote to memory of 2921468vcredist_x64.exeVC_redist.x64.exe
    PID 1468 wrote to memory of 2921468vcredist_x64.exeVC_redist.x64.exe
    PID 1468 wrote to memory of 2921468vcredist_x64.exeVC_redist.x64.exe
    PID 1468 wrote to memory of 2921468vcredist_x64.exeVC_redist.x64.exe
    PID 1468 wrote to memory of 2921468vcredist_x64.exeVC_redist.x64.exe
    PID 1468 wrote to memory of 2921468vcredist_x64.exeVC_redist.x64.exe
    PID 292 wrote to memory of 1784292VC_redist.x64.exeVC_redist.x64.exe
    PID 292 wrote to memory of 1784292VC_redist.x64.exeVC_redist.x64.exe
    PID 292 wrote to memory of 1784292VC_redist.x64.exeVC_redist.x64.exe
    PID 292 wrote to memory of 1784292VC_redist.x64.exeVC_redist.x64.exe
    PID 292 wrote to memory of 1784292VC_redist.x64.exeVC_redist.x64.exe
    PID 292 wrote to memory of 1784292VC_redist.x64.exeVC_redist.x64.exe
    PID 292 wrote to memory of 1784292VC_redist.x64.exeVC_redist.x64.exe
    PID 1784 wrote to memory of 3161784VC_redist.x64.exeVC_redist.x64.exe
    PID 1784 wrote to memory of 3161784VC_redist.x64.exeVC_redist.x64.exe
    PID 1784 wrote to memory of 3161784VC_redist.x64.exeVC_redist.x64.exe
    PID 1784 wrote to memory of 3161784VC_redist.x64.exeVC_redist.x64.exe
    PID 1784 wrote to memory of 3161784VC_redist.x64.exeVC_redist.x64.exe
    PID 1784 wrote to memory of 3161784VC_redist.x64.exeVC_redist.x64.exe
    PID 1784 wrote to memory of 3161784VC_redist.x64.exeVC_redist.x64.exe
    PID 316 wrote to memory of 1568316VC_redist.x64.exeVC_redist.x64.exe
    PID 316 wrote to memory of 1568316VC_redist.x64.exeVC_redist.x64.exe
    PID 316 wrote to memory of 1568316VC_redist.x64.exeVC_redist.x64.exe
    PID 316 wrote to memory of 1568316VC_redist.x64.exeVC_redist.x64.exe
    PID 316 wrote to memory of 1568316VC_redist.x64.exeVC_redist.x64.exe
    PID 316 wrote to memory of 1568316VC_redist.x64.exeVC_redist.x64.exe
    PID 316 wrote to memory of 1568316VC_redist.x64.exeVC_redist.x64.exe
    PID 536 wrote to memory of 1260536Wireshark-win64-3.4.0.exenpcap-1.00.exe
    PID 536 wrote to memory of 1260536Wireshark-win64-3.4.0.exenpcap-1.00.exe
    PID 536 wrote to memory of 1260536Wireshark-win64-3.4.0.exenpcap-1.00.exe
    PID 536 wrote to memory of 1260536Wireshark-win64-3.4.0.exenpcap-1.00.exe
    PID 536 wrote to memory of 1260536Wireshark-win64-3.4.0.exenpcap-1.00.exe
    PID 536 wrote to memory of 1260536Wireshark-win64-3.4.0.exenpcap-1.00.exe
    PID 536 wrote to memory of 1260536Wireshark-win64-3.4.0.exenpcap-1.00.exe
    PID 1260 wrote to memory of 17441260npcap-1.00.exeNPFInstall.exe
    PID 1260 wrote to memory of 17441260npcap-1.00.exeNPFInstall.exe
    PID 1260 wrote to memory of 17441260npcap-1.00.exeNPFInstall.exe
    PID 1260 wrote to memory of 17441260npcap-1.00.exeNPFInstall.exe
    PID 1260 wrote to memory of 14841260npcap-1.00.execertutil.exe
    PID 1260 wrote to memory of 14841260npcap-1.00.execertutil.exe
    PID 1260 wrote to memory of 14841260npcap-1.00.execertutil.exe
    PID 1260 wrote to memory of 14841260npcap-1.00.execertutil.exe
    PID 1260 wrote to memory of 9121260npcap-1.00.execertutil.exe
    PID 1260 wrote to memory of 9121260npcap-1.00.execertutil.exe
    PID 1260 wrote to memory of 9121260npcap-1.00.execertutil.exe
Processes 25
  • C:\Users\Admin\AppData\Local\Temp\Wireshark-win64-3.4.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Wireshark-win64-3.4.0.exe"
    Loads dropped DLL
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:536
    • C:\Program Files\Wireshark\vcredist_x64.exe
      "C:\Program Files\Wireshark\vcredist_x64.exe" /install /quiet /norestart
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exe
        "C:\Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Program Files\Wireshark\vcredist_x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        PID:1468
        • C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exe
          "C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{6F149526-2581-45CE-B8D1-A454DEC424BB} {35247DF1-A54C-46AA-A819-BA42F8DD0789} 1468
          Executes dropped EXE
          Adds Run key to start application
          Modifies service
          Drops file in Windows directory
          Modifies registry class
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of WriteProcessMemory
          PID:292
          • C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
            "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={0f770e99-3916-4b0c-8f9b-83822826bcbf} -burn.filehandle.self=500 -burn.embedded BurnPipe.{7456D846-71C9-462A-9B31-2C18DF68EFCB} {024FF4AD-7A13-4B72-AAF5-3EE77F6ED8D1} 292
            Suspicious use of WriteProcessMemory
            PID:1784
            • C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
              "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={0f770e99-3916-4b0c-8f9b-83822826bcbf} -burn.filehandle.self=500 -burn.embedded BurnPipe.{7456D846-71C9-462A-9B31-2C18DF68EFCB} {024FF4AD-7A13-4B72-AAF5-3EE77F6ED8D1} 292
              Loads dropped DLL
              Suspicious use of WriteProcessMemory
              PID:316
              • C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
                "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{5DD0994E-60BF-4840-913C-6DB5DA98F959} {862C7DAF-8AAB-420C-9B31-584CCA5E0FDC} 316
                Drops file in Windows directory
                Modifies registry class
                PID:1568
    • C:\Program Files\Wireshark\npcap-1.00.exe
      "C:\Program Files\Wireshark\npcap-1.00.exe" /winpcap_mode=no /loopback_support=no
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies service
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exe
        "C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exe" -n -check_dll
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:1744
      • C:\Windows\SysWOW64\certutil.exe
        certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\Insecure-EV.cer"
        PID:1484
      • C:\Windows\SysWOW64\certutil.exe
        certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\Insecure-EV-sha1.cer"
        PID:912
      • C:\Program Files\Npcap\NPFInstall.exe
        "C:\Program Files\Npcap\NPFInstall.exe" -n -c
        Executes dropped EXE
        PID:1264
        • C:\Windows\system32\pnputil.exe
          pnputil.exe -e
          Drops file in Windows directory
          PID:1028
      • C:\Program Files\Npcap\NPFInstall.exe
        "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
        Executes dropped EXE
        Drops file in Windows directory
        PID:1908
      • C:\Program Files\Npcap\NPFInstall.exe
        "C:\Program Files\Npcap\NPFInstall.exe" -n -i2
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Modifies service
        Drops file in Program Files directory
        Drops file in Windows directory
        PID:1484
      • C:\Program Files\Npcap\NPFInstall.exe
        "C:\Program Files\Npcap\NPFInstall.exe" -n -il
        Executes dropped EXE
        Drops file in System32 directory
        Modifies service
        Drops file in Windows directory
        PID:2188
      • C:\Windows\SysWOW64\SCHTASKS.EXE
        SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'C:\Program Files\Npcap\CheckStatus.bat'" /NP
        Creates scheduled task(s)
        PID:2372
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:592
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:275457 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:984
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:2008
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000003A8" "00000000000005B8"
    Drops file in Windows directory
    Modifies data under HKEY_USERS
    Suspicious use of AdjustPrivilegeToken
    PID:1272
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    Blacklisted process makes network request
    Enumerates connected drives
    Drops file in System32 directory
    Drops file in Windows directory
    Modifies data under HKEY_USERS
    Modifies registry class
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:324
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{26d7c48a-f8f8-5c99-06c3-142926215c5a}\NPCAP.inf" "9" "605306be3" "00000000000003EC" "WinSta0\Default" "00000000000003D8" "208" "C:\Program Files\Npcap"
    Drops file in System32 directory
    Modifies service
    Drops file in Windows directory
    Modifies data under HKEY_USERS
    PID:2016
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "00000000000005C4" "00000000000005C8"
    Drops file in Windows directory
    Modifies data under HKEY_USERS
    PID:1784
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\netloop.inf" "netloop.inf:Microsoft.NTamd64:MSLOOP.ndi:6.1.7600.16385:*msloop" "6632877cf" "00000000000003EC" "00000000000003A8" "00000000000005C4"
    Drops file in Drivers directory
    Drops file in System32 directory
    Modifies service
    Drops file in Windows directory
    Modifies data under HKEY_USERS
    PID:2236
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\PROGRA~1\Npcap\npcap.sys

                      MD5

                      a0164420de7f90414cfe661e31a4a618

                      SHA1

                      b7701d069d4fcb31121462256edc283294fb2351

                      SHA256

                      f6459767fd63fad5a5bacde8a612f9598498d5877c014275c9e517486da99be3

                      SHA512

                      cdfed2ad00cbd290821783106e9c1b895a042c6dd630981e53399492334acfa8ecadfe261d62558870e8a395f9aedfba1ad0b056aa7364fa5c4a5a481ac77796

                    • C:\Program Files\Npcap\NPCAP.inf

                      MD5

                      dd4d9bf2e91f295146c86d4bd6f4188e

                      SHA1

                      6b3d2af0b29b1b0ece0c6900fe11b7466f4c34af

                      SHA256

                      f08b2844468196b265dd191ecdc3655071d8d91e0b755dece6789a8b9db6a48f

                      SHA512

                      af5c1bf7b527ba0de691b6e38cb447a217cbaf575aa02fbf68eff096ab4eb8d3688b3fd730297b71e096400410e7101658ab0c72e2de13bfd0829eb9078bc70d

                    • C:\Program Files\Npcap\NPCAP_wfp.inf

                      MD5

                      b810a602b91df8bb508efb681f8189ed

                      SHA1

                      78a7b1aa393cb2aff6ec6643b6ba2d3a0bc02915

                      SHA256

                      513b6658c7ecf8648fa73ab5f5da38821ae0f39bdd30ac5ff93a4413ae2d1338

                      SHA512

                      9cffd9f4cb1f7f7d55009d319ab4e6487036b17bb9b7894195f6a4317abb8ad91e8503d439e0cc1fdeaf49080a94f798498c489a81d7a49e717de77f47615132

                    • C:\Program Files\Npcap\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • C:\Program Files\Npcap\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • C:\Program Files\Npcap\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • C:\Program Files\Npcap\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • C:\Program Files\Npcap\NPFInstall.log

                      MD5

                      41fa70a2b240b3a416a01886b5fabfcd

                      SHA1

                      12f0f628c94ae9bbeb054b408edd840235d3a91f

                      SHA256

                      f67ef070923ea54281f980f1c4d061c7af04fb2a15184c97e9e2cc42f719c4b5

                      SHA512

                      85f90f1c66d2b6e420ac0d05d205823cfc1274971cac20a9269e931415ce6e560fb33b77ba323087c8aa148966d46dfd85ef2d2b756979a25b664577da93f5a2

                    • C:\Program Files\Npcap\NPFInstall.log

                      MD5

                      1db00c559a89a6c16f493ec2518ff11d

                      SHA1

                      5368a1719667357a0bb82c926790defe83f9bd10

                      SHA256

                      bde33ab6f537900236fd616ce3ca398234fe9aecaa1d1123b6b07918eab0d1f6

                      SHA512

                      3cac483ee4a6cfe4f9fe2f4aa588e3ddfc6566402e759d19385bbdb68c0e2b09c80122eea2202ae0c0ea700d731f0cfaf7adccea39c64bc3b6ac5d4cf268759b

                    • C:\Program Files\Npcap\NPFInstall.log

                      MD5

                      a691721ca32c0c087db1746c2a8ec0e4

                      SHA1

                      43e88f2eb80bbf012bc88cb8fe0923830818e0ae

                      SHA256

                      77c1c9deeb4b18cfcebff3952a0c868ba45441cedbf699163dc88d8f875edcfe

                      SHA512

                      5793111fc83e10d4641b7756ca82af3b0b81071e2f55cc660f7529c12ac3a6b4f9fef5b043453aef26894ed60194d788377853badd5ba0fc08d0fd9f11dd784f

                    • C:\Program Files\Npcap\NPFInstall.log

                      MD5

                      ad28aad622263695beb87145f298fdc6

                      SHA1

                      a8ba91bfa9bff0e675b90fc9e2476486a106f7d5

                      SHA256

                      e70cf5571d54d39fcfacb26522dcdd47017e1fa4655ba46bb24c3606565542e8

                      SHA512

                      c93217643dd354966c34fb38fbbc390cf1645ec910e6f9dd2bb4ec6515bd802a37901e073b22708958a53e6554e7714deb02994edc6dacfaa9b7a9b1196b91ae

                    • C:\Program Files\Npcap\npcap.cat

                      MD5

                      74ff20bbd94ca641189d2fc126ef954b

                      SHA1

                      af896f3b3bf24fe7e25f6310d9b1f6dd78e0174e

                      SHA256

                      676d43897aad5faabd724d2f91cc9f0bcb711908d89fa8a017c274b6b2345a33

                      SHA512

                      9dac93f72ecf741437bc80a67c63f555d4e737cd1c30c26497794dddb3abc879d024c41bb3079274a743b6e4b94f0cb5ccfa5caa2bd88842b5babc4d623fe1b6

                    • C:\Program Files\Wireshark\npcap-1.00.exe

                      MD5

                      fc8cb1b4677c90859af51c8c664e755d

                      SHA1

                      62f3d68f01f93c1b5b3f915a2781cd523394b944

                      SHA256

                      488ab12e28e81d0dcf3d5d996f9cb676293f6f73b39e9c99476b5a44cec2250a

                      SHA512

                      bbdc020bf97f75c8f63f09495e5580fcc77af342fe4866fcc12023d75d8ff73b0826c66a655b70f79588ab7a1b8eea0baf228305214a9b3ea60667799246dcaf

                    • C:\Program Files\Wireshark\npcap-1.00.exe

                      MD5

                      fc8cb1b4677c90859af51c8c664e755d

                      SHA1

                      62f3d68f01f93c1b5b3f915a2781cd523394b944

                      SHA256

                      488ab12e28e81d0dcf3d5d996f9cb676293f6f73b39e9c99476b5a44cec2250a

                      SHA512

                      bbdc020bf97f75c8f63f09495e5580fcc77af342fe4866fcc12023d75d8ff73b0826c66a655b70f79588ab7a1b8eea0baf228305214a9b3ea60667799246dcaf

                    • C:\Program Files\Wireshark\vcredist_x64.exe

                      MD5

                      9f096b97d204078b443dbcbf18e0ebb0

                      SHA1

                      a55510a8c9708b2c68b39cd50bbcaf86e2c885f0

                      SHA256

                      4b5890eb1aefdf8dfa3234b5032147eb90f050c5758a80901b201ae969780107

                      SHA512

                      c606a3ac915a62608b71bd3114a9725746f17a882420c38eaf905c3433a95187bff61013b8cf1af2013cc504ab07726758388beef2063709af253ffd2d7572ec

                    • C:\Program Files\Wireshark\vcredist_x64.exe

                      MD5

                      9f096b97d204078b443dbcbf18e0ebb0

                      SHA1

                      a55510a8c9708b2c68b39cd50bbcaf86e2c885f0

                      SHA256

                      4b5890eb1aefdf8dfa3234b5032147eb90f050c5758a80901b201ae969780107

                      SHA512

                      c606a3ac915a62608b71bd3114a9725746f17a882420c38eaf905c3433a95187bff61013b8cf1af2013cc504ab07726758388beef2063709af253ffd2d7572ec

                    • C:\ProgramData\Package Cache\{0f770e99-3916-4b0c-8f9b-83822826bcbf}\VC_redist.x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                      MD5

                      6bbb835228d7be7c3ceaa798185ae81e

                      SHA1

                      222591e9f6b3c41a5dc04cf5f21daf32cb87c5e2

                      SHA256

                      b0dc30e5596c9c33a544f5e00931667d02d00200e863b158b508be079b4da59f

                      SHA512

                      48a53f44b2bc791c25ccb02e9cbe9c6093f39303a13f8b248d0d91b409c89eae5907e66fa697f2224e6ff1eb86ce17461c8838aedd7623f2abdd3310f49171ab

                    • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20201120002735_000_vcRuntimeMinimum_x64.log

                      MD5

                      01c61d067b839f50b37446ca4c9608e5

                      SHA1

                      7785a2c66487fec4833432a97486da14c3365e3b

                      SHA256

                      51e208aa82d2f7b0143b570991b62738cfd873c474c5a2c566e440f5258ff60f

                      SHA512

                      369d60cc5ae56c67d447c24722ef946afb77a6f0be268e2dd92dbc8c4c6966887e6d4c6c2faa767ee02c1b1ba7a4ff618566bae2a6914c2b2716a5afd6d06c1b

                    • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20201120002735_001_vcRuntimeAdditional_x64.log

                      MD5

                      3d808057caeae381e95f7c729af00bd1

                      SHA1

                      583cbc4cecadd420bca8952a495a0540aa185056

                      SHA256

                      f4994632bceeed5fd6df10a1476f8112804542867242acf2c8295d60766e6965

                      SHA512

                      96ed56669a4f26a48c1f3f6fe069444f5b68ddcf9c4fd87aab79ac2dd126b0b6bb083527cae8a22f4c6ba56d0b10f4c08710cf32b511f314c2a0255c92bf6dfb

                    • C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\Insecure-EV-sha1.cer

                      MD5

                      6e3a097ec254863a4a1a810ffcad253a

                      SHA1

                      29bacae898852aab0bb9162881053b703b9d1005

                      SHA256

                      8e1b4bcf0bb63d58165149af6b31f771c80b1064750ebb3c326483df3ab8ebf0

                      SHA512

                      dad466fe6e87d5834837c4f0145c85c852be9e4d8301b2eeb1d2af322829b9b2913647c4ea5e70293c35260265cebc02f4f017cbb319209556f4278afcd64ae1

                    • C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\Insecure-EV.cer

                      MD5

                      bb381ad7f010e2e2f2f63d01c7134805

                      SHA1

                      4ce89794fe2d2f7e30121f10bcf76ac3ccf77ca9

                      SHA256

                      ed81c57dc455569ced035211a11c74110bf820df0d8b09bf23024c6f0d9baf95

                      SHA512

                      da41931dac9c463ab066eaeb830f0e3d79c62f103f2eff4d5092e99e8292f30cc16d6ffd70071af353fa986b5874dd2cf8a4d44d9f2df479574bcdbf6f5b796c

                    • C:\Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • C:\Users\Admin\AppData\Local\Temp\{26D7C~1\npcap.sys

                      MD5

                      a0164420de7f90414cfe661e31a4a618

                      SHA1

                      b7701d069d4fcb31121462256edc283294fb2351

                      SHA256

                      f6459767fd63fad5a5bacde8a612f9598498d5877c014275c9e517486da99be3

                      SHA512

                      cdfed2ad00cbd290821783106e9c1b895a042c6dd630981e53399492334acfa8ecadfe261d62558870e8a395f9aedfba1ad0b056aa7364fa5c4a5a481ac77796

                    • C:\Users\Admin\AppData\Local\Temp\{26d7c48a-f8f8-5c99-06c3-142926215c5a}\NPCAP.inf

                      MD5

                      dd4d9bf2e91f295146c86d4bd6f4188e

                      SHA1

                      6b3d2af0b29b1b0ece0c6900fe11b7466f4c34af

                      SHA256

                      f08b2844468196b265dd191ecdc3655071d8d91e0b755dece6789a8b9db6a48f

                      SHA512

                      af5c1bf7b527ba0de691b6e38cb447a217cbaf575aa02fbf68eff096ab4eb8d3688b3fd730297b71e096400410e7101658ab0c72e2de13bfd0829eb9078bc70d

                    • C:\Users\Admin\AppData\Local\Temp\{26d7c48a-f8f8-5c99-06c3-142926215c5a}\npcap.cat

                      MD5

                      74ff20bbd94ca641189d2fc126ef954b

                      SHA1

                      af896f3b3bf24fe7e25f6310d9b1f6dd78e0174e

                      SHA256

                      676d43897aad5faabd724d2f91cc9f0bcb711908d89fa8a017c274b6b2345a33

                      SHA512

                      9dac93f72ecf741437bc80a67c63f555d4e737cd1c30c26497794dddb3abc879d024c41bb3079274a743b6e4b94f0cb5ccfa5caa2bd88842b5babc4d623fe1b6

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2M4OBY27.txt

                      MD5

                      625a6aabbea79cd1c8101b2b7df12ccb

                      SHA1

                      d133d365bc8b4a6592c01bb4664c2968a2639068

                      SHA256

                      2ca7d9f31c21726a4ac8ad316366cb654ce1bcddba5f3f0a39b637711fcd1426

                      SHA512

                      32c495b7f7d90020ff63468c74353cea91ee39905df744df6f39dc0ec7de097cd5592c8ce594869d5ec0aa238d5774b7c5b7824e793acb9c55a98adf95232278

                    • C:\Windows\INF\netloop.PNF

                      MD5

                      55a7da53970a0103397966a2dbb54902

                      SHA1

                      40b5101a512d5d8b841814dca30220c3b6446d6c

                      SHA256

                      ca1d4ab4b1244bb15f3094e8a024cebc2a4c396e2149c81328b7dda09edfa17f

                      SHA512

                      682236521a195f4b976098ca85fddf94964f85ab6e02002358ec05764755cbc79df2743d3530a9c7d93a38e4326afa4f947ca5067115b29784b432fe43472d82

                    • C:\Windows\INF\oem2.PNF

                      MD5

                      b3cf362198fcf4abfd4766eb8301f1f7

                      SHA1

                      5f9e0a0bcf6706d05d50b074d109f6dc63bab8fa

                      SHA256

                      c22ca551fa5fdc9c68f5c03fd13dcbad65012fa16b479f90eb4c645db88e8209

                      SHA512

                      4a43c97a7bdebf883b7871d08a9e5f3a2407fe43defd90655eee3614fbf3d376e98280c5110604c5675b70f26a31853643d4e0448889b95a37e346afc63441fb

                    • C:\Windows\INF\oem2.inf

                      MD5

                      dd4d9bf2e91f295146c86d4bd6f4188e

                      SHA1

                      6b3d2af0b29b1b0ece0c6900fe11b7466f4c34af

                      SHA256

                      f08b2844468196b265dd191ecdc3655071d8d91e0b755dece6789a8b9db6a48f

                      SHA512

                      af5c1bf7b527ba0de691b6e38cb447a217cbaf575aa02fbf68eff096ab4eb8d3688b3fd730297b71e096400410e7101658ab0c72e2de13bfd0829eb9078bc70d

                    • C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\npcap.PNF

                      MD5

                      3e47d192c510592de0bb23ad1609db1e

                      SHA1

                      e0a2b41655096f3c4eabdbbaa81a3a79df0f4ce0

                      SHA256

                      41fca19eb1c6255fe522e8f6fb687a5022585646b77a9234d596348bc71e7867

                      SHA512

                      dbd3067b8cfab7a1173693e2722941a8d6f55c2bcc752c4549526155f76e74b75f56a61f03520000810daf81b990b9a692d6320da1bd9957b45f152c1c1d3bf1

                    • C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\npcap.cat

                      MD5

                      74ff20bbd94ca641189d2fc126ef954b

                      SHA1

                      af896f3b3bf24fe7e25f6310d9b1f6dd78e0174e

                      SHA256

                      676d43897aad5faabd724d2f91cc9f0bcb711908d89fa8a017c274b6b2345a33

                      SHA512

                      9dac93f72ecf741437bc80a67c63f555d4e737cd1c30c26497794dddb3abc879d024c41bb3079274a743b6e4b94f0cb5ccfa5caa2bd88842b5babc4d623fe1b6

                    • C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_bc04a3cb67b96afb\npcap.inf

                      MD5

                      dd4d9bf2e91f295146c86d4bd6f4188e

                      SHA1

                      6b3d2af0b29b1b0ece0c6900fe11b7466f4c34af

                      SHA256

                      f08b2844468196b265dd191ecdc3655071d8d91e0b755dece6789a8b9db6a48f

                      SHA512

                      af5c1bf7b527ba0de691b6e38cb447a217cbaf575aa02fbf68eff096ab4eb8d3688b3fd730297b71e096400410e7101658ab0c72e2de13bfd0829eb9078bc70d

                    • C:\Windows\System32\DriverStore\INFCACHE.1

                      MD5

                      9583adb80ed088dd1d9ae7c840ae312b

                      SHA1

                      1c41b62953b04c05a0e97762f05dacf28be8e310

                      SHA256

                      247c3dffc61f8582759851df7ea94c1a7c19f0ed58e445c371c2a401aec66776

                      SHA512

                      861ee7439eb133cddfd2ff5f3376bd2f4a0aeec77e31a862dd3d4fdb9efbe7e7a7529af7617731402f33fa417f628d3a767b935a43b8c91fe215e55f24c7eaa7

                    • C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

                      MD5

                      5c2a82f74a564f4bd605207dc8845b18

                      SHA1

                      a3681d7e7cbc9e4cde84b85f55bdc94f079fa17f

                      SHA256

                      c4766867d211cc60069f2bc088d80aecb64f1d62d0d1116993f34a22e62073cf

                      SHA512

                      af19f506441db43096ee211864e7de39248975b8a18b5b99078b31ee0ed5e659b8838bac11499d0fe8bf971ffd73c50a3cbc01efa67e62ac192a6c041699b726

                    • C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\cab5046A8AB272BF37297BB7928664C9503

                      MD5

                      e76673ff437d9953e47bc7dff98cca82

                      SHA1

                      b3b8cda5d4ae340fb381e06124da63f1f753fbdf

                      SHA256

                      9ae5e7da815b59ba58b8d40d0438d96b02bcadde8d5afb4e359b2118ac968f95

                      SHA512

                      003f2b8c5c8556a7fa1e12b49d2b36bdd0a8581e41952e9eda76bcf3cb85f546fbd8df242cc8d46d6ea0b79979d7a4ac0380100a17ed4c7e016be86fc21d9dd3

                    • C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\vcRuntimeAdditional_x64

                      MD5

                      c67f21677ad09aaec06560558d0b61e3

                      SHA1

                      092eb8fafc5ae0105234112ea782be0147b6822e

                      SHA256

                      13de3270d5ec9025c818089a2bd514d4dce1d784083ab36ca7350c4ec2a32737

                      SHA512

                      7c46dc50be247d7927e9761927a04457565736d9c35bf81862e8131e5115766e404f2412ea176f4f7119c91eeb59ebf321cc04d54dc0cad55c811838d4098ad7

                    • C:\Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\vcRuntimeMinimum_x64

                      MD5

                      1aadae6e83982688768731a678a37568

                      SHA1

                      18ec1cf86e1788d82ed5aabccf22747577f30edb

                      SHA256

                      c646c4ccaedcf755e296027f34f40c0b50469f0358fdc6bb266b42fee94de58c

                      SHA512

                      2dbde85f2c96bd127eabc8e1095fe6e9b232bd13335257e3a2a5c30c14e91a677c8c80a52386bfb9ab89f3dad42f4fc151bf0ddd31383a137a9631eb78f92b2e

                    • C:\Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • C:\Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • C:\Windows\WindowsUpdate.log

                      MD5

                      ee22ddd54e0a68b175680764fd593361

                      SHA1

                      e3d910e471d2060a3fb37caf54986c118b1938e6

                      SHA256

                      1a92835c1aae2fadc976d6651677399852dc4ff9e3ecee91f2cdbbe0feaa6ad9

                      SHA512

                      b090aab144f7f1362403ff791018a98ed9a7e242561040c245a267eb4d902942561297b6e64717dc85cc511538d1912fbb81752252634e37179f01eeae284b90

                    • \Program Files\Npcap\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • \Program Files\Npcap\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • \Program Files\Wireshark\Wireshark.exe

                      MD5

                      947e65d88f29b9a6dab0e9d525aa6b6d

                      SHA1

                      276fd55a7bba34bf79bdde3220c555222470e1b2

                      SHA256

                      c4a7d8915de8c4443d9640b0dbdde6f9400453bd01012e5cee01a80e40b7ee8f

                      SHA512

                      9293fc8b082f652918be490b550268564570c84bbd6a25b5e8f28c11e45d2734dc4f35d8c58fe1c85876c8c5f31c95e5dd2eed41e013802112d5f4927dda496b

                    • \Program Files\Wireshark\Wireshark.exe

                      MD5

                      947e65d88f29b9a6dab0e9d525aa6b6d

                      SHA1

                      276fd55a7bba34bf79bdde3220c555222470e1b2

                      SHA256

                      c4a7d8915de8c4443d9640b0dbdde6f9400453bd01012e5cee01a80e40b7ee8f

                      SHA512

                      9293fc8b082f652918be490b550268564570c84bbd6a25b5e8f28c11e45d2734dc4f35d8c58fe1c85876c8c5f31c95e5dd2eed41e013802112d5f4927dda496b

                    • \Program Files\Wireshark\npcap-1.00.exe

                      MD5

                      fc8cb1b4677c90859af51c8c664e755d

                      SHA1

                      62f3d68f01f93c1b5b3f915a2781cd523394b944

                      SHA256

                      488ab12e28e81d0dcf3d5d996f9cb676293f6f73b39e9c99476b5a44cec2250a

                      SHA512

                      bbdc020bf97f75c8f63f09495e5580fcc77af342fe4866fcc12023d75d8ff73b0826c66a655b70f79588ab7a1b8eea0baf228305214a9b3ea60667799246dcaf

                    • \Program Files\Wireshark\vcredist_x64.exe

                      MD5

                      9f096b97d204078b443dbcbf18e0ebb0

                      SHA1

                      a55510a8c9708b2c68b39cd50bbcaf86e2c885f0

                      SHA256

                      4b5890eb1aefdf8dfa3234b5032147eb90f050c5758a80901b201ae969780107

                      SHA512

                      c606a3ac915a62608b71bd3114a9725746f17a882420c38eaf905c3433a95187bff61013b8cf1af2013cc504ab07726758388beef2063709af253ffd2d7572ec

                    • \Users\Admin\AppData\Local\Temp\nsn15F3.tmp\InstallOptions.dll

                      MD5

                      09d8971beefefffd710030dd167a99e0

                      SHA1

                      a0117786ad77213f3eb48cfdc3819786cb796b7d

                      SHA256

                      caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95

                      SHA512

                      3956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0

                    • \Users\Admin\AppData\Local\Temp\nsn15F3.tmp\InstallOptions.dll

                      MD5

                      09d8971beefefffd710030dd167a99e0

                      SHA1

                      a0117786ad77213f3eb48cfdc3819786cb796b7d

                      SHA256

                      caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95

                      SHA512

                      3956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0

                    • \Users\Admin\AppData\Local\Temp\nsn15F3.tmp\InstallOptions.dll

                      MD5

                      09d8971beefefffd710030dd167a99e0

                      SHA1

                      a0117786ad77213f3eb48cfdc3819786cb796b7d

                      SHA256

                      caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95

                      SHA512

                      3956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0

                    • \Users\Admin\AppData\Local\Temp\nsn15F3.tmp\InstallOptions.dll

                      MD5

                      09d8971beefefffd710030dd167a99e0

                      SHA1

                      a0117786ad77213f3eb48cfdc3819786cb796b7d

                      SHA256

                      caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95

                      SHA512

                      3956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0

                    • \Users\Admin\AppData\Local\Temp\nsn15F3.tmp\System.dll

                      MD5

                      8cf2ac271d7679b1d68eefc1ae0c5618

                      SHA1

                      7cc1caaa747ee16dc894a600a4256f64fa65a9b8

                      SHA256

                      6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

                      SHA512

                      ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

                    • \Users\Admin\AppData\Local\Temp\nsn15F3.tmp\nsDialogs.dll

                      MD5

                      ec9640b70e07141febbe2cd4cc42510f

                      SHA1

                      64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

                      SHA256

                      c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

                      SHA512

                      47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\InstallOptions.dll

                      MD5

                      d8bfba73978801ed5c291b847ae6ed0f

                      SHA1

                      afd973df6c0fd92372b787f2a06a02fa4c03b877

                      SHA256

                      75fca8af133756a0d36ad9b6177ef8ee01b6dd18ede216d82b2eb5f8092a84cd

                      SHA512

                      62b921725c727247b96622765caa4ddec1126980e677764f9bdb5e68eae50044747f0ee99744c44b7a7253a57e3c28a2fc19a99d479787aa4944499871db92f2

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\InstallOptions.dll

                      MD5

                      d8bfba73978801ed5c291b847ae6ed0f

                      SHA1

                      afd973df6c0fd92372b787f2a06a02fa4c03b877

                      SHA256

                      75fca8af133756a0d36ad9b6177ef8ee01b6dd18ede216d82b2eb5f8092a84cd

                      SHA512

                      62b921725c727247b96622765caa4ddec1126980e677764f9bdb5e68eae50044747f0ee99744c44b7a7253a57e3c28a2fc19a99d479787aa4944499871db92f2

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\SimpleSC.dll

                      MD5

                      4a2b58bd7cab29463d9e53fcb9a252b6

                      SHA1

                      4679ba66db7989a64c41892bbb3f7cec38fb5597

                      SHA256

                      18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

                      SHA512

                      e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\SimpleSC.dll

                      MD5

                      4a2b58bd7cab29463d9e53fcb9a252b6

                      SHA1

                      4679ba66db7989a64c41892bbb3f7cec38fb5597

                      SHA256

                      18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

                      SHA512

                      e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\SimpleSC.dll

                      MD5

                      4a2b58bd7cab29463d9e53fcb9a252b6

                      SHA1

                      4679ba66db7989a64c41892bbb3f7cec38fb5597

                      SHA256

                      18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

                      SHA512

                      e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\System.dll

                      MD5

                      6a2f80ed640b6c2458329c2d3f8d9e3f

                      SHA1

                      c6dba02a05dbf15aa5de3ac1464bc9dce995eb80

                      SHA256

                      1e981423fda8f74e9a7079675c1a6fe55c716d4c0d50fb03ea482ff7500db14b

                      SHA512

                      00d49b1874d76b150a646ac40032b34608e548cfd806642982e446619c9852a0ab5389791468651c4d51d118aad502174e7b887c2b5b6a7a3e35ddd9bd50d722

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nst8191.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.ba\wixstdba.dll

                      MD5

                      eab9caf4277829abdf6223ec1efa0edd

                      SHA1

                      74862ecf349a9bedd32699f2a7a4e00b4727543d

                      SHA256

                      a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

                      SHA512

                      45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

                    • \Windows\Temp\{5F695450-27D1-4248-92CE-E2B694E1AE4B}\.be\VC_redist.x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • \Windows\Temp\{6B31E9F4-6120-4A3F-AE5B-827EBD4DFA69}\.ba\wixstdba.dll

                      MD5

                      eab9caf4277829abdf6223ec1efa0edd

                      SHA1

                      74862ecf349a9bedd32699f2a7a4e00b4727543d

                      SHA256

                      a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

                      SHA512

                      45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

                    • \Windows\Temp\{8919893D-485C-4467-B601-7E793E9EC725}\.cr\vcredist_x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • memory/292-26-0x0000000000000000-mapping.dmp

                    • memory/316-78-0x0000000000000000-mapping.dmp

                    • memory/324-46-0x00000000025D0000-0x00000000025D4000-memory.dmp

                    • memory/324-37-0x0000000001270000-0x0000000001274000-memory.dmp

                    • memory/324-39-0x00000000025D0000-0x00000000025D4000-memory.dmp

                    • memory/324-41-0x0000000001270000-0x0000000001274000-memory.dmp

                    • memory/324-36-0x0000000001270000-0x0000000001274000-memory.dmp

                    • memory/324-75-0x0000000000EC0000-0x0000000000EC4000-memory.dmp

                    • memory/324-42-0x00000000025D0000-0x00000000025D4000-memory.dmp

                    • memory/324-76-0x0000000002E50000-0x0000000002E54000-memory.dmp

                    • memory/324-44-0x00000000025D0000-0x00000000025D4000-memory.dmp

                    • memory/324-73-0x0000000002E50000-0x0000000002E54000-memory.dmp

                    • memory/324-60-0x0000000000EC0000-0x0000000000EC4000-memory.dmp

                    • memory/324-55-0x0000000000EC0000-0x0000000000EC4000-memory.dmp

                    • memory/324-54-0x0000000000EC0000-0x0000000000EC4000-memory.dmp

                    • memory/324-53-0x0000000000EC0000-0x0000000000EC4000-memory.dmp

                    • memory/324-52-0x0000000001270000-0x0000000001274000-memory.dmp

                    • memory/324-49-0x00000000025D0000-0x00000000025D4000-memory.dmp

                    • memory/324-48-0x00000000025D0000-0x00000000025D4000-memory.dmp

                    • memory/324-35-0x0000000001840000-0x0000000001844000-memory.dmp

                    • memory/536-9-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

                    • memory/536-3-0x00000000065C0000-0x00000000066C1000-memory.dmp

                    • memory/672-14-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

                    • memory/912-102-0x0000000000000000-mapping.dmp

                    • memory/984-19-0x0000000000000000-mapping.dmp

                    • memory/1028-111-0x0000000000000000-mapping.dmp

                    • memory/1260-84-0x0000000000000000-mapping.dmp

                    • memory/1264-107-0x0000000000000000-mapping.dmp

                    • memory/1380-16-0x0000000000000000-mapping.dmp

                    • memory/1468-21-0x0000000000000000-mapping.dmp

                    • memory/1484-98-0x0000000000000000-mapping.dmp

                    • memory/1484-119-0x0000000000000000-mapping.dmp

                    • memory/1568-81-0x0000000000000000-mapping.dmp

                    • memory/1744-93-0x0000000000000000-mapping.dmp

                    • memory/1784-77-0x0000000000000000-mapping.dmp

                    • memory/1908-113-0x0000000000000000-mapping.dmp

                    • memory/2188-137-0x0000000000000000-mapping.dmp

                    • memory/2236-143-0x0000000000DC0000-0x0000000000DE0000-memory.dmp

                    • memory/2372-148-0x0000000000000000-mapping.dmp