Wireshark-win64-3.4.0.exe

General
Target

Wireshark-win64-3.4.0.exe

Filesize

58MB

Completed

20-11-2020 00:25

Score
9 /10
MD5

f427fe6703fdf785bae6274b9ff0cc7d

SHA1

e2dd1f2364d58f93fd44f7330a3068d5bed00154

SHA256

32113e083409de888468e0bfe74ba98e6d618f9685a56a06f15b0506fdf4e462

Malware Config
Signatures 23

Filter: none

Defense Evasion
Discovery
Persistence
  • Checks for common network interception software

    Description

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    Tags

    TTPs

  • Blacklisted process makes network request
    msiexec.exe

    Reported IOCs

    flowpidprocess
    22352msiexec.exe
    22352msiexec.exe
  • Drops file in Drivers directory
    NPFInstall.exeDrvInst.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\system32\DRIVERS\SET61B4.tmpNPFInstall.exe
    File opened for modificationC:\Windows\system32\DRIVERS\npcap.sysNPFInstall.exe
    File opened for modificationC:\Windows\System32\drivers\loop.sysDrvInst.exe
    File opened for modificationC:\Windows\system32\DRIVERS\SET61B4.tmpNPFInstall.exe
  • Executes dropped EXE
    vcredist_x64.exevcredist_x64.exeVC_redist.x64.exenpcap-1.00.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exe

    Reported IOCs

    pidprocess
    2704vcredist_x64.exe
    1340vcredist_x64.exe
    2136VC_redist.x64.exe
    3412npcap-1.00.exe
    4020NPFInstall.exe
    1396NPFInstall.exe
    912NPFInstall.exe
    1708NPFInstall.exe
    1160NPFInstall.exe
  • Suspicious Office macro

    Description

    Office document equipped with 4.0 macros.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001abfd-20.datoffice_xlm_macros
    behavioral2/files/0x000100000001abfe-22.datoffice_xlm_macros
  • Loads dropped DLL
    Wireshark-win64-3.4.0.exevcredist_x64.exeVC_redist.x64.exenpcap-1.00.exe

    Reported IOCs

    pidprocess
    648Wireshark-win64-3.4.0.exe
    648Wireshark-win64-3.4.0.exe
    648Wireshark-win64-3.4.0.exe
    648Wireshark-win64-3.4.0.exe
    648Wireshark-win64-3.4.0.exe
    648Wireshark-win64-3.4.0.exe
    1340vcredist_x64.exe
    2924VC_redist.x64.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
    3412npcap-1.00.exe
  • Adds Run key to start application
    VC_redist.x64.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{0f770e99-3916-4b0c-8f9b-83822826bcbf} = "\"C:\\ProgramData\\Package Cache\\{0f770e99-3916-4b0c-8f9b-83822826bcbf}\\VC_redist.x64.exe\" /burn.runonce"VC_redist.x64.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceVC_redist.x64.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates connected drives
    msiexec.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\H:msiexec.exe
    File opened (read-only)\??\K:msiexec.exe
    File opened (read-only)\??\W:msiexec.exe
    File opened (read-only)\??\X:msiexec.exe
    File opened (read-only)\??\Z:msiexec.exe
    File opened (read-only)\??\E:msiexec.exe
    File opened (read-only)\??\P:msiexec.exe
    File opened (read-only)\??\Q:msiexec.exe
    File opened (read-only)\??\S:msiexec.exe
    File opened (read-only)\??\L:msiexec.exe
    File opened (read-only)\??\G:msiexec.exe
    File opened (read-only)\??\N:msiexec.exe
    File opened (read-only)\??\O:msiexec.exe
    File opened (read-only)\??\T:msiexec.exe
    File opened (read-only)\??\V:msiexec.exe
    File opened (read-only)\??\Y:msiexec.exe
    File opened (read-only)\??\A:msiexec.exe
    File opened (read-only)\??\F:msiexec.exe
    File opened (read-only)\??\I:msiexec.exe
    File opened (read-only)\??\J:msiexec.exe
    File opened (read-only)\??\M:msiexec.exe
    File opened (read-only)\??\R:msiexec.exe
    File opened (read-only)\??\U:msiexec.exe
    File opened (read-only)\??\B:msiexec.exe
  • JavaScript code in executable

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001abc2-11.datjs
    behavioral2/files/0x000100000001abc2-12.datjs
    behavioral2/files/0x000100000001abc5-14.datjs
    behavioral2/files/0x000100000001abc5-15.datjs
    behavioral2/files/0x000100000001abf7-18.datjs
    behavioral2/files/0x000100000001abf7-19.datjs
    behavioral2/files/0x000100000001abfd-20.datjs
    behavioral2/files/0x000100000001abfe-22.datjs
    behavioral2/files/0x000200000001abfa-100.datjs
  • Drops file in System32 directory
    msiexec.exenpcap-1.00.exeDrvInst.exeNPFInstall.exeNPFInstall.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\mfc140enu.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140fra.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140rus.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\msvcp140_1.dllmsiexec.exe
    File createdC:\Windows\system32\msvcp140.dllmsiexec.exe
    File createdC:\Windows\system32\msvcp140_2.dllmsiexec.exe
    File createdC:\Windows\system32\vcamp140.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140.dllmsiexec.exe
    File createdC:\Windows\SysWOW64\WlanHelper.exenpcap-1.00.exe
    File opened for modificationC:\Windows\System32\DriverStore\Temp\{47e55893-f6bc-4b44-bcdf-6b7a43ec1a37}\npcap.catDrvInst.exe
    File createdC:\Windows\system32\msvcp140_codecvt_ids.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140jpn.dllmsiexec.exe
    File createdC:\Windows\SysWOW64\Npcap\NpcapHelper.exenpcap-1.00.exe
    File createdC:\Windows\System32\DriverStore\Temp\{47e55893-f6bc-4b44-bcdf-6b7a43ec1a37}\SET5B5B.tmpDrvInst.exe
    File opened for modificationC:\Windows\system32\vccorlib140.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140deu.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140ita.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140deu.dllmsiexec.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_ecd984f601508a74\netserv.PNFNPFInstall.exe
    File opened for modificationC:\Windows\system32\msvcp140_2.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140u.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140kor.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140u.dllmsiexec.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_9a1cea654bb8e715\npcap.catDrvInst.exe
    File opened for modificationC:\Windows\system32\vcruntime140.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140esn.dllmsiexec.exe
    File opened for modificationC:\Windows\System32\DriverStore\Temp\{47e55893-f6bc-4b44-bcdf-6b7a43ec1a37}\SET5B5B.tmpDrvInst.exe
    File opened for modificationC:\Windows\System32\DriverStore\Temp\{47e55893-f6bc-4b44-bcdf-6b7a43ec1a37}\SET5B6C.tmpDrvInst.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_286311b3ad406c73\netrass.PNFNPFInstall.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_e610f6f65afdc230\netnb.PNFNPFInstall.exe
    File opened for modificationC:\Windows\system32\concrt140.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\vcomp140.dllmsiexec.exe
    File createdC:\Windows\system32\vcruntime140_1.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140chs.dllmsiexec.exe
    File opened for modificationC:\Windows\System32\DriverStore\Temp\{47e55893-f6bc-4b44-bcdf-6b7a43ec1a37}\SET5B6B.tmpDrvInst.exe
    File opened for modificationC:\Windows\system32\vcruntime140_1.dllmsiexec.exe
    File createdC:\Windows\system32\mfc140esn.dllmsiexec.exe
    File createdC:\Windows\system32\Npcap\wpcap.dllnpcap-1.00.exe
    File createdC:\Windows\System32\DriverStore\Temp\{47e55893-f6bc-4b44-bcdf-6b7a43ec1a37}\SET5B6B.tmpDrvInst.exe
    File opened for modificationC:\Windows\system32\mfc140cht.dllmsiexec.exe
    File createdC:\Windows\system32\Npcap\Packet.dllnpcap-1.00.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_739e9ec110147b31\netbrdg.PNFNPFInstall.exe
    File opened for modificationC:\Windows\system32\vcamp140.dllmsiexec.exe
    File createdC:\Windows\system32\WlanHelper.exenpcap-1.00.exe
    File createdC:\Windows\system32\Npcap\WlanHelper.exenpcap-1.00.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_ff4a06185491a88a\netloop.PNFNPFInstall.exe
    File createdC:\Windows\SysWOW64\Npcap\WlanHelper.exenpcap-1.00.exe
    File createdC:\Windows\System32\DriverStore\Temp\{47e55893-f6bc-4b44-bcdf-6b7a43ec1a37}\SET5B6C.tmpDrvInst.exe
    File createdC:\Windows\System32\DriverStore\drvstore.tmpDrvInst.exe
    File opened for modificationC:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_9a1cea654bb8e715\NPCAP.infDrvInst.exe
    File createdC:\Windows\system32\mfc140cht.dllmsiexec.exe
    File createdC:\Windows\system32\mfcm140.dllmsiexec.exe
    File createdC:\Windows\system32\Npcap\NpcapHelper.exenpcap-1.00.exe
    File createdC:\Windows\system32\concrt140.dllmsiexec.exe
    File createdC:\Windows\system32\vcomp140.dllmsiexec.exe
    File createdC:\Windows\system32\vcruntime140.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfcm140.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140jpn.dllmsiexec.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_9b48be32f09b1fb6\netnwifi.PNFNPFInstall.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_9a1cea654bb8e715\npcap.PNFNPFInstall.exe
    File createdC:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNFNPFInstall.exe
    File opened for modificationC:\Windows\system32\msvcp140.dllmsiexec.exe
    File opened for modificationC:\Windows\system32\mfc140chs.dllmsiexec.exe
    File createdC:\Windows\SysWOW64\wpcap.dllnpcap-1.00.exe
  • Modifies service
    vssvc.exesrtasks.exenpcap-1.00.exesvchost.exeNPFInstall.exeDrvInst.exeNPFInstall.exeVC_redist.x64.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000a587ad5edbbed6018c0f0000080c0000fb0300000000000005000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 480000000000000077088264dbbed60120090000800b0000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000srtasks.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npcap\Parameters\AdminOnly = "1"npcap-1.00.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npcap\Parameters\WinPcapCompatible = "1"npcap-1.00.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage\Route = 22007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d002200000022007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d002200000022007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d00220000000000svchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rspndr\Linkage\Route = 22007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d002200000022007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d002200000022007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d00220000000000svchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_BACK (Enter) = 48000000000000006663c25cdbbed6018c0f00001c090000ed0300000100000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Enter) = 48000000000000003e106e5ddbbed6018c0f00001c090000fd0300000100000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 4800000000000000c2c56a5edbbed6018c0f0000d0080000050000000100000004000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npcap\Parameters\Dot11Support = "1"npcap-1.00.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Leave) = 4800000000000000881cde5ddbbed6018c0f00001c090000050400000000000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\THAW (Enter) = 48000000000000009c42e55ddbbed6018c0f0000a0080000f20300000100000003000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 4800000000000000979f635edbbed60120090000800b0000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000srtasks.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\ParametersNPFInstall.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npcap\Parameters\Adapters\{03135B4A-AACF-4A0A-9A6C-4E8872C40EEC}svchost.exe
    Set value (str)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\kmloop\EventMessageFile = "%SystemRoot%\\System32\\netevent.dll"DrvInst.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lltdio\Linkage\Route = 22007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d002200000022007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d002200000022007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d00220000000000svchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Linkage\Export = 5c004400650076006900630065005c004e0065007400420054005f005400630070006900700036005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c004e0065007400420054005f00540063007000690070005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c004e0065007400420054005f005400630070006900700036005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004e0065007400420054005f00540063007000690070005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004e0065007400420054005f00540063007000690070005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000005c004400650076006900630065005c004e0065007400420054005f005400630070006900700036005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000000000svchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Enter) = 48000000000000004b155a5edbbed6018c0f0000d0080000f50300000100000004000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ndisuio\Linkage\Export = 5c004400650076006900630065005c004e00640069007300750069006f005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c004e00640069007300750069006f005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004e00640069007300750069006f005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000000000svchost.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\Parameters\Adapters\{7254E8C5-0B0D-42E8-A9CC-C24D168C7099}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000svchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Enter) = 4800000000000000a276d252dbbed6018c0f0000780f0000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Leave) = 48000000000000003e106e5ddbbed6018c0f00001c090000030400000000000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (int)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7254e8c5-0b0d-42e8-a9cc-c24d168c7099}\EnableDHCP = "1"svchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\GETSTATE (Leave) = 4800000000000000665bd65bdbbed6018c0f0000f0010000f90300000000000001000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_FRONT (Leave) = 48000000000000006663c25cdbbed6018c0f00001c090000ec0300000000000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Leave) = 48000000000000009c42e55ddbbed6018c0f0000d0080000f20300000000000003000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npcap_wifi\Parameters\Adapters\{BF230D8A-9CF2-480E-BD07-297E4A7AFCB1}svchost.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Linkagesvchost.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBIOS\Linkagesvchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Enter) = 480000000000000067aba65bdbbed6018c0f0000c00f0000010400000100000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BKGND_FREEZE_THREAD (Leave) = 48000000000000009c42e55ddbbed6018c0f000030060000fc0300000000000003000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisImPlatform\Linkage\Route = 0000svchost.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\ParametersNPFInstall.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\IDENTIFY (Enter) = 4800000000000000a276d252dbbed6018c0f0000540f0000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Leave) = 48000000000000003a831b5cdbbed6018c0f00001c090000020400000000000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Enter) = 4800000000000000a587ad5edbbed6018c0f0000080c0000fb0300000100000005000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestoreVC_redist.x64.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{0e932f02-0000-0000-0000-500600000000}_)\IOCTL_FLUSH_AND_HOLD (Enter) = 48000000000000008580c15ddbbed6018c0f000060090000fe0300000100000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 48000000000000009c42e55ddbbed6018c0f0000a0080000040000000100000003000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npcap_wifi\Parameters\Adapters\{7254E8C5-0B0D-42E8-A9CC-C24D168C7099}svchost.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Netbios\Parameterssvchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Enter) = 480000000000000028af6b5ddbbed6018c0f00009c080000fc0300000100000003000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rspndr\Linkage\Bind = 5c004400650076006900630065005c007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000000000svchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Linkage\Export = 5c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400620069006f00730053006d00620000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f00540063007000690070005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f005400630070006900700036005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f00540063007000690070005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f005400630070006900700036005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f005400630070006900700036005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f005400630070006900700036005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f00540063007000690070005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f00540063007000690070005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f00540063007000690070005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f005400630070006900700036005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f00540063007000690070005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000005c004400650076006900630065005c004c0061006e006d0061006e0057006f0072006b00730074006100740069006f006e005f004e0065007400420054005f005400630070006900700036005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000000000svchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPAREBACKUP (Enter) = 4800000000000000e110a95bdbbed6018c0f0000f0010000e90300000100000001000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Enter) = 480000000000000051a5225cdbbed6018c0f0000a4080000ea0300000100000001000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Leave) = 4800000000000000d5268c5edbbed6018c0f00001c090000f50300000000000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\IDENTIFY (Enter) = 4800000000000000a276d252dbbed6018c0f0000f0010000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 480000000000000063942e5cdbbed6018c0f0000a4080000020000000100000001000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPARESNAPSHOT (Leave) = 4800000000000000cd1c385cdbbed6018c0f0000080c0000ea0300000000000001000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 480000000000000083775c5edbbed6018c0f0000a0080000050000000100000004000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MsLldp\Linkage\Route = 22007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d002200000022007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d002200000022007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d00220000000000svchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBIOS\Linkage\Bind = 5c004400650076006900630065005c004e0065007400420054005f00540063007000690070005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c004e0065007400420054005f005400630070006900700036005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c004e0065007400420054005f005400630070006900700036005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004e0065007400420054005f00540063007000690070005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004e0065007400420054005f00540063007000690070005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000005c004400650076006900630065005c004e0065007400420054005f005400630070006900700036005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000000000svchost.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{0e932f02-0000-0000-0000-500600000000}_)vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Leave) = 48000000000000000f4fce5cdbbed6018c0f00001c090000f00300000000000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 400000000000000071e1e25ddbbed60158080000840e0000d5070000010000000000000000000000000000000000000000000000000000000000000000000000VC_redist.x64.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Enter) = 48000000000000004b155a5edbbed6018c0f00001c090000f50300000100000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npcap_wifi\Parameterssvchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBT\Linkage\Bind = 5c004400650076006900630065005c005400630070006900700036005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c00540063007000690070005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c005400630070006900700036005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c00540063007000690070005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c00540063007000690070005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000005c004400650076006900630065005c005400630070006900700036005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000000000svchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisImPlatform\Linkage\Export = 5c004400650076006900630065005c004e0064006900730049006d0050006c006100740066006f0072006d0000000000svchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Linkage\Bind = 5c004400650076006900630065005c004e0065007400620069006f00730053006d00620000005c004400650076006900630065005c00540063007000690070005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c005400630070006900700036005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c004e0065007400420054005f00540063007000690070005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c004e0065007400420054005f005400630070006900700036005f007b00420046003200330030004400380041002d0039004300460032002d0034003800300045002d0042004400300037002d003200390037004500340041003700410046004300420031007d0000005c004400650076006900630065005c005400630070006900700036005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004e0065007400420054005f005400630070006900700036005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c00540063007000690070005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004e0065007400420054005f00540063007000690070005f007b00300033003100330035004200340041002d0041004100430046002d0034004100300041002d0039004100360043002d003400450038003800370032004300340030004500450043007d0000005c004400650076006900630065005c004e0065007400420054005f00540063007000690070005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000005c004400650076006900630065005c005400630070006900700036005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000005c004400650076006900630065005c00540063007000690070005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000005c004400650076006900630065005c004e0065007400420054005f005400630070006900700036005f007b00370032003500340045003800430035002d0030004200300044002d0034003200450038002d0041003900430043002d004300320034004400310036003800430037003000390039007d0000000000svchost.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Netbios\Linkagesvchost.exe
    Set value (data)\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Leave) = 48000000000000001bdab85cdbbed6018c0f00001c090000ea0300000000000000000000000000003c9179cc123c0445a68fe1bd9d6010e000000000000000000000000000000000vssvc.exe
  • Drops file in Program Files directory
    Wireshark-win64-3.4.0.exeNPFInstall.exenpcap-1.00.exeNPFInstall.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Program Files\Wireshark\AUTHORS-SHORTWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.acmeWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.rfc4675Wireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.sgWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\nghttp2.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\libsmi-2.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.digiumWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.f5Wireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.freeswitchWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.gemtekWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\wimaxasncp\dictionary.xmlWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\libwinpthread-1.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.microsoftWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.sonicwallWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.telkomWireshark-win64-3.4.0.exe
    File opened for modificationC:\Program Files\Npcap\NPFInstall.logNPFInstall.exe
    File createdC:\Program Files\Npcap\CheckStatus.batnpcap-1.00.exe
    File createdC:\Program Files\Wireshark\diameter\mobileipv6.xmlWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.3comWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.arborWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.arubaWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.audiocodesWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.dlinkWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.eltexWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\zstd.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\lz4.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\cfiltersWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\diameter\TGPP.xmlWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.freeradiusWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.h3cWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.motorolaWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\libwsutil.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\diameter\Telefonica.xmlWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.3gppWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.alteonWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.equallogicWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.meinbergWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.sofawareWireshark-win64-3.4.0.exe
    File opened for modificationC:\Program Files\Npcap\NPFInstall.logNPFInstall.exe
    File createdC:\Program Files\Wireshark\diameter\Huawei.xmlWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\libbcg729.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.chillispotWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.quintumWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\dtds\reginfo.dtdWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\libspandsp-2.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\init.luaWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\console.luaWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\libffi-6.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.aerohiveWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.alcatel.esamWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.efficientipWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.troposWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\libwireshark.dllWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.broadsoftWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.rfc2867Wireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.ruggedcomWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\diameter\Siemens.xmlWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\diameter\dictionary.xmlWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.asnWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.camiantWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.huaweiWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.lucentWireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.rfc3162Wireshark-win64-3.4.0.exe
    File createdC:\Program Files\Wireshark\radius\dictionary.wimax.wichorusWireshark-win64-3.4.0.exe
  • Drops file in Windows directory
    msiexec.exeDrvInst.exeNPFInstall.exeDrvInst.exeNPFInstall.exesvchost.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.logmsiexec.exe
    File opened for modificationC:\Windows\Installer\msiexec.exe
    File createdC:\Windows\Installer\inprogressinstallinfo.ipimsiexec.exe
    File opened for modificationC:\Windows\Installer\MSIA26B.tmpmsiexec.exe
    File opened for modificationC:\Windows\Installer\f759b27.msimsiexec.exe
    File createdC:\Windows\Installer\f759b3a.msimsiexec.exe
    File opened for modificationC:\Windows\INF\setupapi.dev.logDrvInst.exe
    File createdC:\Windows\Installer\f759b18.msimsiexec.exe
    File createdC:\Windows\INF\oem2.PNFNPFInstall.exe
    File opened for modificationC:\Windows\Installer\MSIA52C.tmpmsiexec.exe
    File createdC:\Windows\Installer\f759b26.msimsiexec.exe
    File createdC:\Windows\Installer\SourceHash{1B4EDD59-90CE-4BDE-8520-630981088165}msiexec.exe
    File opened for modificationC:\Windows\Installer\MSIAFA1.tmpmsiexec.exe
    File opened for modificationC:\Windows\INF\setupapi.dev.logNPFInstall.exe
    File opened for modificationC:\Windows\INF\setupapi.dev.logDrvInst.exe
    File createdC:\Windows\Installer\SourceHash{37BB1766-C587-49AE-B2DB-618FBDEAB88C}msiexec.exe
    File createdC:\Windows\inf\netloop.PNFNPFInstall.exe
    File opened for modificationC:\Windows\INF\setupapi.dev.logNPFInstall.exe
    File opened for modificationC:\Windows\INF\setupapi.dev.logsvchost.exe
    File opened for modificationC:\Windows\Installer\f759b18.msimsiexec.exe
    File opened for modificationC:\Windows\Installer\MSIACA1.tmpmsiexec.exe
    File opened for modificationC:\Windows\inf\oem2.infDrvInst.exe
    File createdC:\Windows\inf\oem2.infDrvInst.exe
    File createdC:\Windows\Installer\f759b27.msimsiexec.exe
  • NSIS installer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001acd4-103.datnsis_installer_1
    behavioral2/files/0x000100000001acd4-103.datnsis_installer_2
    behavioral2/files/0x000100000001acd4-104.datnsis_installer_1
    behavioral2/files/0x000100000001acd4-104.datnsis_installer_2
  • Checks SCSI registry key(s)
    svchost.exesvchost.exeDrvInst.exeNPFInstall.exesvchost.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfgsvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004Esvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005svchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000Asvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004Asvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000Asvchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlagssvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005svchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008svchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008svchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDssvchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004Csvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000DrvInst.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005Asvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000NPFInstall.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008svchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\svchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilitiessvchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFiltersDrvInst.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055svchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlagsNPFInstall.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFiltersDrvInst.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004Dsvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004Csvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000svchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDssvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004Esvchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareIDsvchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\svchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LowerFiltersDrvInst.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003svchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareIDsvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065svchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004Dsvchost.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000svchost.exe
  • Creates scheduled task(s)
    SCHTASKS.EXE

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    3860SCHTASKS.EXE
  • Modifies data under HKEY_USERS
    DrvInst.exesvchost.exemsiexec.exesvchost.exesvchost.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\DisallowedDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\DisallowedDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRootDrvInst.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000svchost.exe
    Key deleted\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\17msiexec.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18msiexec.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLsDrvInst.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"svchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeopleDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17msiexec.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCachesvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\RootDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CADrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeopleDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLsDrvInst.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trustDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software PublishingDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CADrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCachesvchost.exe
    Key deleted\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\19msiexec.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1amsiexec.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"DrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connectionssvchost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connectionssvchost.exe
    Key deleted\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7Emsiexec.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLsDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CertificatesDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trustDrvInst.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLsDrvInst.exe
    Key deleted\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16msiexec.exe
    Key deleted\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\18msiexec.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19msiexec.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7EDrvInst.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"DrvInst.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"DrvInst.exe
  • Modifies registry class
    msiexec.exeWireshark-win64-3.4.0.exeVC_redist.x64.exeVC_redist.x64.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DDE4B1EC09EDB45802369018801856\VC_Runtime_Additionalmsiexec.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\Clients = 3a0000000000msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\DefaultIconWireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{37BB1766-C587-49AE-B2DB-618FBDEAB88C}"msiexec.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\57987521567CFDB4D8CD2348CBE058F5\SourceListmsiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{37BB1766-C587-49AE-B2DB-618FBDEAB88C}v14.27.29112\\packages\\vcRuntimeMinimum_amd64\\"msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\ProductName = "Microsoft Visual C++ 2019 X64 Additional Runtime - 14.27.29112"msiexec.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\AuthorizedLUAApp = "0"msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\95DDE4B1EC09EDB45802369018801856msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.27,bundle\Dependents\{0f770e99-3916-4b0c-8f9b-83822826bcbf}VC_redist.x64.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\AuthorizedLUAApp = "0"msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.acpWireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.pcapWireshark-win64-3.4.0.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\Assignment = "1"msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\ProductName = "Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.27.29112"msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.trace\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\Clients = 3a0000000000msiexec.exe
    Key created\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14msiexec.exe
    Key created\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14VC_redist.x64.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-fileWireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.bfr\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\DeploymentFlags = "3"msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\Media\1 = ";"msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.apc\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.enc\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\SourceList\Netmsiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.pcapng\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.tpc\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.27,bundle\ = "{0f770e99-3916-4b0c-8f9b-83822826bcbf}"VC_redist.x64.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\57987521567CFDB4D8CD2348CBE058F5\SourceList\Mediamsiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.lcap\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.ntar\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.pcapngWireshark-win64-3.4.0.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD7CAC7F4253D2C47ABD1E16043A5D6Emsiexec.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\Language = "1033"msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.vwrWireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.wpcWireshark-win64-3.4.0.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD7CAC7F4253D2C47ABD1E16043A5D6Emsiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{1B4EDD59-90CE-4BDE-8520-630981088165}v14.27.29112\\packages\\vcRuntimeAdditional_amd64\\"msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"msiexec.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{F4220B74-9EDD-4DED-BC8B-0342C1E164D8}VC_redist.x64.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\.erfWireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.wpzWireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"msiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\SourceList\Mediamsiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.5vw\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.atc\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.rf5\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.tr1Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\PackageCode = "8205128EB9AC3F748AFAA9D0C56AC198"msiexec.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\Language = "1033"msiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open\command\ = "\"C:\\Program Files\\Wireshark\\Wireshark.exe\" \"%1\""Wireshark-win64-3.4.0.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.21,bundle\DependentsVC_redist.x64.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\openWireshark-win64-3.4.0.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95DDE4B1EC09EDB45802369018801856\SourceListmsiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.snoop\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.ipfix\ = "wireshark-capture-file"Wireshark-win64-3.4.0.exe
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD7CAC7F4253D2C47ABD1E16043A5D6E\SourceListmsiexec.exe
    Key created\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14VC_redist.x64.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6671BB73785CEA942BBD16F8DBAE8BC8\SourceList\Netmsiexec.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95DDE4B1EC09EDB45802369018801856\Providermsiexec.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open\commandWireshark-win64-3.4.0.exe
  • Suspicious behavior: EnumeratesProcesses
    msiexec.exeNPFInstall.exe

    Reported IOCs

    pidprocess
    352msiexec.exe
    352msiexec.exe
    352msiexec.exe
    352msiexec.exe
    352msiexec.exe
    352msiexec.exe
    352msiexec.exe
    352msiexec.exe
    4020NPFInstall.exe
    4020NPFInstall.exe
  • Suspicious behavior: LoadsDriver

    Reported IOCs

    pidprocess
    616
    616
    616
    616
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exeVC_redist.x64.exemsiexec.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege3980vssvc.exe
    Token: SeRestorePrivilege3980vssvc.exe
    Token: SeAuditPrivilege3980vssvc.exe
    Token: SeShutdownPrivilege2136VC_redist.x64.exe
    Token: SeIncreaseQuotaPrivilege2136VC_redist.x64.exe
    Token: SeSecurityPrivilege352msiexec.exe
    Token: SeCreateTokenPrivilege2136VC_redist.x64.exe
    Token: SeAssignPrimaryTokenPrivilege2136VC_redist.x64.exe
    Token: SeLockMemoryPrivilege2136VC_redist.x64.exe
    Token: SeIncreaseQuotaPrivilege2136VC_redist.x64.exe
    Token: SeMachineAccountPrivilege2136VC_redist.x64.exe
    Token: SeTcbPrivilege2136VC_redist.x64.exe
    Token: SeSecurityPrivilege2136VC_redist.x64.exe
    Token: SeTakeOwnershipPrivilege2136VC_redist.x64.exe
    Token: SeLoadDriverPrivilege2136VC_redist.x64.exe
    Token: SeSystemProfilePrivilege2136VC_redist.x64.exe
    Token: SeSystemtimePrivilege2136VC_redist.x64.exe
    Token: SeProfSingleProcessPrivilege2136VC_redist.x64.exe
    Token: SeIncBasePriorityPrivilege2136VC_redist.x64.exe
    Token: SeCreatePagefilePrivilege2136VC_redist.x64.exe
    Token: SeCreatePermanentPrivilege2136VC_redist.x64.exe
    Token: SeBackupPrivilege2136VC_redist.x64.exe
    Token: SeRestorePrivilege2136VC_redist.x64.exe
    Token: SeShutdownPrivilege2136VC_redist.x64.exe
    Token: SeDebugPrivilege2136VC_redist.x64.exe
    Token: SeAuditPrivilege2136VC_redist.x64.exe
    Token: SeSystemEnvironmentPrivilege2136VC_redist.x64.exe
    Token: SeChangeNotifyPrivilege2136VC_redist.x64.exe
    Token: SeRemoteShutdownPrivilege2136VC_redist.x64.exe
    Token: SeUndockPrivilege2136VC_redist.x64.exe
    Token: SeSyncAgentPrivilege2136VC_redist.x64.exe
    Token: SeEnableDelegationPrivilege2136VC_redist.x64.exe
    Token: SeManageVolumePrivilege2136VC_redist.x64.exe
    Token: SeImpersonatePrivilege2136VC_redist.x64.exe
    Token: SeCreateGlobalPrivilege2136VC_redist.x64.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
    Token: SeTakeOwnershipPrivilege352msiexec.exe
    Token: SeRestorePrivilege352msiexec.exe
  • Suspicious use of WriteProcessMemory
    Wireshark-win64-3.4.0.exevcredist_x64.exevcredist_x64.exeVC_redist.x64.exeVC_redist.x64.exeVC_redist.x64.exenpcap-1.00.exeNPFInstall.exesvchost.exeNPFInstall.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 648 wrote to memory of 2704648Wireshark-win64-3.4.0.exevcredist_x64.exe
    PID 648 wrote to memory of 2704648Wireshark-win64-3.4.0.exevcredist_x64.exe
    PID 648 wrote to memory of 2704648Wireshark-win64-3.4.0.exevcredist_x64.exe
    PID 2704 wrote to memory of 13402704vcredist_x64.exevcredist_x64.exe
    PID 2704 wrote to memory of 13402704vcredist_x64.exevcredist_x64.exe
    PID 2704 wrote to memory of 13402704vcredist_x64.exevcredist_x64.exe
    PID 1340 wrote to memory of 21361340vcredist_x64.exeVC_redist.x64.exe
    PID 1340 wrote to memory of 21361340vcredist_x64.exeVC_redist.x64.exe
    PID 1340 wrote to memory of 21361340vcredist_x64.exeVC_redist.x64.exe
    PID 2136 wrote to memory of 12362136VC_redist.x64.exeVC_redist.x64.exe
    PID 2136 wrote to memory of 12362136VC_redist.x64.exeVC_redist.x64.exe
    PID 2136 wrote to memory of 12362136VC_redist.x64.exeVC_redist.x64.exe
    PID 1236 wrote to memory of 29241236VC_redist.x64.exeVC_redist.x64.exe
    PID 1236 wrote to memory of 29241236VC_redist.x64.exeVC_redist.x64.exe
    PID 1236 wrote to memory of 29241236VC_redist.x64.exeVC_redist.x64.exe
    PID 2924 wrote to memory of 17482924VC_redist.x64.exeVC_redist.x64.exe
    PID 2924 wrote to memory of 17482924VC_redist.x64.exeVC_redist.x64.exe
    PID 2924 wrote to memory of 17482924VC_redist.x64.exeVC_redist.x64.exe
    PID 648 wrote to memory of 3412648Wireshark-win64-3.4.0.exenpcap-1.00.exe
    PID 648 wrote to memory of 3412648Wireshark-win64-3.4.0.exenpcap-1.00.exe
    PID 648 wrote to memory of 3412648Wireshark-win64-3.4.0.exenpcap-1.00.exe
    PID 3412 wrote to memory of 40203412npcap-1.00.exeNPFInstall.exe
    PID 3412 wrote to memory of 40203412npcap-1.00.exeNPFInstall.exe
    PID 3412 wrote to memory of 13963412npcap-1.00.exeNPFInstall.exe
    PID 3412 wrote to memory of 13963412npcap-1.00.exeNPFInstall.exe
    PID 1396 wrote to memory of 14441396NPFInstall.exepnputil.exe
    PID 1396 wrote to memory of 14441396NPFInstall.exepnputil.exe
    PID 3412 wrote to memory of 9123412npcap-1.00.exeNPFInstall.exe
    PID 3412 wrote to memory of 9123412npcap-1.00.exeNPFInstall.exe
    PID 3412 wrote to memory of 17083412npcap-1.00.exeNPFInstall.exe
    PID 3412 wrote to memory of 17083412npcap-1.00.exeNPFInstall.exe
    PID 2724 wrote to memory of 27002724svchost.exeDrvInst.exe
    PID 2724 wrote to memory of 27002724svchost.exeDrvInst.exe
    PID 3412 wrote to memory of 11603412npcap-1.00.exeNPFInstall.exe
    PID 3412 wrote to memory of 11603412npcap-1.00.exeNPFInstall.exe
    PID 1160 wrote to memory of 10601160NPFInstall.exenetsh.exe
    PID 1160 wrote to memory of 10601160NPFInstall.exenetsh.exe
    PID 2724 wrote to memory of 37762724svchost.exeDrvInst.exe
    PID 2724 wrote to memory of 37762724svchost.exeDrvInst.exe
    PID 3412 wrote to memory of 38603412npcap-1.00.exeSCHTASKS.EXE
    PID 3412 wrote to memory of 38603412npcap-1.00.exeSCHTASKS.EXE
    PID 3412 wrote to memory of 38603412npcap-1.00.exeSCHTASKS.EXE
Processes 26
  • C:\Users\Admin\AppData\Local\Temp\Wireshark-win64-3.4.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Wireshark-win64-3.4.0.exe"
    Loads dropped DLL
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:648
    • C:\Program Files\Wireshark\vcredist_x64.exe
      "C:\Program Files\Wireshark\vcredist_x64.exe" /install /quiet /norestart
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\Temp\{7B77361D-0F87-4944-A9CE-997E8AB2D6A8}\.cr\vcredist_x64.exe
        "C:\Windows\Temp\{7B77361D-0F87-4944-A9CE-997E8AB2D6A8}\.cr\vcredist_x64.exe" -burn.clean.room="C:\Program Files\Wireshark\vcredist_x64.exe" -burn.filehandle.attached=592 -burn.filehandle.self=600 /install /quiet /norestart
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        PID:1340
        • C:\Windows\Temp\{617EF361-0FA7-4147-BD59-5D808AFA591D}\.be\VC_redist.x64.exe
          "C:\Windows\Temp\{617EF361-0FA7-4147-BD59-5D808AFA591D}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{32044B5D-B3C1-4F32-A275-67A7F6094C3E} {153D9411-EB65-4C35-957F-5DF96ECC298E} 1340
          Executes dropped EXE
          Adds Run key to start application
          Modifies service
          Modifies registry class
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of WriteProcessMemory
          PID:2136
          • C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
            "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={0f770e99-3916-4b0c-8f9b-83822826bcbf} -burn.filehandle.self=976 -burn.embedded BurnPipe.{DC498C3D-75BA-471A-94DD-67479E6882AE} {5649FFB7-B1AE-445D-AF75-0F5E6573A008} 2136
            Suspicious use of WriteProcessMemory
            PID:1236
            • C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
              "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={0f770e99-3916-4b0c-8f9b-83822826bcbf} -burn.filehandle.self=976 -burn.embedded BurnPipe.{DC498C3D-75BA-471A-94DD-67479E6882AE} {5649FFB7-B1AE-445D-AF75-0F5E6573A008} 2136
              Loads dropped DLL
              Suspicious use of WriteProcessMemory
              PID:2924
              • C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
                "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{E5CA34B1-8EFA-4DB8-B267-DE6FA67F2A4E} {52494429-CA2E-4AF3-9631-C03E6E4CD48A} 2924
                Modifies registry class
                PID:1748
    • C:\Program Files\Wireshark\npcap-1.00.exe
      "C:\Program Files\Wireshark\npcap-1.00.exe" /winpcap_mode=no /loopback_support=no
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies service
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Users\Admin\AppData\Local\Temp\nsyC026.tmp\NPFInstall.exe
        "C:\Users\Admin\AppData\Local\Temp\nsyC026.tmp\NPFInstall.exe" -n -check_dll
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        PID:4020
      • C:\Program Files\Npcap\NPFInstall.exe
        "C:\Program Files\Npcap\NPFInstall.exe" -n -c
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Windows\SYSTEM32\pnputil.exe
          pnputil.exe -e
          PID:1444
      • C:\Program Files\Npcap\NPFInstall.exe
        "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
        Executes dropped EXE
        PID:912
      • C:\Program Files\Npcap\NPFInstall.exe
        "C:\Program Files\Npcap\NPFInstall.exe" -n -i2
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Modifies service
        Drops file in Program Files directory
        Drops file in Windows directory
        PID:1708
      • C:\Program Files\Npcap\NPFInstall.exe
        "C:\Program Files\Npcap\NPFInstall.exe" -n -il
        Executes dropped EXE
        Drops file in System32 directory
        Modifies service
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\SYSTEM32\netsh.exe
          netsh.exe interface show interface
          PID:1060
      • C:\Windows\SysWOW64\SCHTASKS.EXE
        SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'C:\Program Files\Npcap\CheckStatus.bat'" /NP
        Creates scheduled task(s)
        PID:3860
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:3980
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
    Checks SCSI registry key(s)
    Modifies data under HKEY_USERS
    PID:2284
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    Modifies service
    PID:2336
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    Blacklisted process makes network request
    Enumerates connected drives
    Drops file in System32 directory
    Drops file in Windows directory
    Modifies data under HKEY_USERS
    Modifies registry class
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:352
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
    Modifies service
    PID:4008
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
    Drops file in Windows directory
    Checks SCSI registry key(s)
    Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{692e585a-1a80-2a43-a379-ca119a5e1108}\NPCAP.inf" "9" "405306be3" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files\Npcap"
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:2700
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\netloop.inf" "netloop.inf:db04a16c8f2dc9fb:kmloop.ndi:10.0.15063.0:*msloop," "4632877cf" "0000000000000174"
      Drops file in Drivers directory
      Modifies service
      Drops file in Windows directory
      Checks SCSI registry key(s)
      PID:3776
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
    Checks SCSI registry key(s)
    Modifies data under HKEY_USERS
    PID:3288
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman
    Modifies data under HKEY_USERS
    PID:1400
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\PROGRA~1\Npcap\npcap.cat

                      MD5

                      f46c53fa7b243138ab78a47d07275e1c

                      SHA1

                      dc678606cdd4925e12b2b7a443d587577704a2be

                      SHA256

                      6424cb07e18a3a5a529f6dd30ffa4fca2b68fa876a47e68dd780c1092797b6f3

                      SHA512

                      0c6bb99d989810b9a3c7dbf8aa754ef48d812c395e418200a2accf9b3f5e2eda6fd36a0befc84ff1636bd60388ff86faa3d1a202666d3841468c0bf6d2ba0251

                    • C:\PROGRA~1\Npcap\npcap.sys

                      MD5

                      36359bf032d182de5d34ebbf40f90692

                      SHA1

                      1117afea33fea16f31f1c7fd6406b647eaa09e40

                      SHA256

                      54576ddbef03976f6c281740d1f237daf8ccb72f139bb064516a84327907600f

                      SHA512

                      087aa9a677e80c165d200d5f0aa58eb42a71564618e667d21a570cfdcd3a92e003368ccc2ae151f76d6b95d3ceeb72d3b60a0495701dc00dab85e429a9a72e77

                    • C:\Program Files\Npcap\NPCAP.inf

                      MD5

                      04d790525824c90010766480189c4e92

                      SHA1

                      26119ae5bd78642244e7248f037eda141827cb4a

                      SHA256

                      ca4aea82d315ee69edaa8988bf1f7a9ab6f617f715e580b3c548a711e869511a

                      SHA512

                      58d7091d1978a230cea9066a5a520659438531810f2c7c34583776ea72405dceb62624810ba00eb2812f7e2c118a3925a7cd9808b53f3d8ef40bc38d8aaa0a20

                    • C:\Program Files\Npcap\NPCAP_wfp.inf

                      MD5

                      b810a602b91df8bb508efb681f8189ed

                      SHA1

                      78a7b1aa393cb2aff6ec6643b6ba2d3a0bc02915

                      SHA256

                      513b6658c7ecf8648fa73ab5f5da38821ae0f39bdd30ac5ff93a4413ae2d1338

                      SHA512

                      9cffd9f4cb1f7f7d55009d319ab4e6487036b17bb9b7894195f6a4317abb8ad91e8503d439e0cc1fdeaf49080a94f798498c489a81d7a49e717de77f47615132

                    • C:\Program Files\Npcap\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • C:\Program Files\Npcap\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • C:\Program Files\Npcap\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • C:\Program Files\Npcap\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • C:\Program Files\Npcap\NPFInstall.log

                      MD5

                      818bed853a6ef00e5cf4032829f6e9d0

                      SHA1

                      20d680605db6ef509408f05f6a69ac596b4bfce9

                      SHA256

                      3e5771257c826187ba8c3150a3ade2e14ba821489010097f383aa0fbdac7c768

                      SHA512

                      7579ac9ef7bd601c2bb9cd6d8eed71a6d699eec36566e175201839086bce721259f3cdc9aae9db570b319832f1f8b942cccabda90d817a7b030d0f433f1b1188

                    • C:\Program Files\Npcap\NPFInstall.log

                      MD5

                      c03dedfba21c545b5b9d629ca453cde6

                      SHA1

                      2f4945622873a6f76689cb6e21916094e04d07db

                      SHA256

                      a8913efc1f655de6bbc61fe38e0c4b866af62ceb6efdc53d8bd5915ec3ef0cf8

                      SHA512

                      cd707a81fa493e6557a669c4591ddcd5ec3c948138e01cac82b0cd85e631c253ec99ed67c3702244e0fd2d9fa932554b2e668b5bb2f7c2c2377fb9f5487992cb

                    • C:\Program Files\Npcap\NPFInstall.log

                      MD5

                      deb5d698bd4d9463400ab28d61256199

                      SHA1

                      27687e6076aee7c95ef38cfed9ae946d2a99b80f

                      SHA256

                      71d86172328b130add235c82d0ee213a67b6b7736762317c37e5ab87d1d685a0

                      SHA512

                      f86cdf7606f8d413c9c02bf0961f95a9bd1306bedb99ad9b5dc1e15a9600275eefda25dae9af54a86fe4f8f432829d76be15b901ac9febf319694d9b0f819d89

                    • C:\Program Files\Npcap\NPFInstall.log

                      MD5

                      8ed6acd3669bfb357dd7aedb449a18e5

                      SHA1

                      9f9d06cb63ed0e4107bb8e33f833a584b7c1dcc0

                      SHA256

                      d0d296c5538a2f871f06cb8ad5a9ac8012bf6410d7e5ed258cc8efb85f0abf40

                      SHA512

                      826d09a7f55174aa18f852d104d5c1722e95c7c5639376adc2343fc34c167c50b052eef77b3dad516ac1555fc327c00d9cf84b55283112a4389114e0a96ad547

                    • C:\Program Files\Wireshark\npcap-1.00.exe

                      MD5

                      fc8cb1b4677c90859af51c8c664e755d

                      SHA1

                      62f3d68f01f93c1b5b3f915a2781cd523394b944

                      SHA256

                      488ab12e28e81d0dcf3d5d996f9cb676293f6f73b39e9c99476b5a44cec2250a

                      SHA512

                      bbdc020bf97f75c8f63f09495e5580fcc77af342fe4866fcc12023d75d8ff73b0826c66a655b70f79588ab7a1b8eea0baf228305214a9b3ea60667799246dcaf

                    • C:\Program Files\Wireshark\npcap-1.00.exe

                      MD5

                      fc8cb1b4677c90859af51c8c664e755d

                      SHA1

                      62f3d68f01f93c1b5b3f915a2781cd523394b944

                      SHA256

                      488ab12e28e81d0dcf3d5d996f9cb676293f6f73b39e9c99476b5a44cec2250a

                      SHA512

                      bbdc020bf97f75c8f63f09495e5580fcc77af342fe4866fcc12023d75d8ff73b0826c66a655b70f79588ab7a1b8eea0baf228305214a9b3ea60667799246dcaf

                    • C:\Program Files\Wireshark\vcredist_x64.exe

                      MD5

                      9f096b97d204078b443dbcbf18e0ebb0

                      SHA1

                      a55510a8c9708b2c68b39cd50bbcaf86e2c885f0

                      SHA256

                      4b5890eb1aefdf8dfa3234b5032147eb90f050c5758a80901b201ae969780107

                      SHA512

                      c606a3ac915a62608b71bd3114a9725746f17a882420c38eaf905c3433a95187bff61013b8cf1af2013cc504ab07726758388beef2063709af253ffd2d7572ec

                    • C:\Program Files\Wireshark\vcredist_x64.exe

                      MD5

                      9f096b97d204078b443dbcbf18e0ebb0

                      SHA1

                      a55510a8c9708b2c68b39cd50bbcaf86e2c885f0

                      SHA256

                      4b5890eb1aefdf8dfa3234b5032147eb90f050c5758a80901b201ae969780107

                      SHA512

                      c606a3ac915a62608b71bd3114a9725746f17a882420c38eaf905c3433a95187bff61013b8cf1af2013cc504ab07726758388beef2063709af253ffd2d7572ec

                    • C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx

                      MD5

                      9238a5014ea27c2978f71a43d3f7a5e2

                      SHA1

                      e87850bb4ab0082a55a88b6adcd6a104c4039507

                      SHA256

                      79c1b71c8ac98acc2d474c5364e0305522d1171df3fd54e96967b5fee750ab50

                      SHA512

                      d585bf4ba173d48a1404bfc38cc5d833dfa81f91de84d2f3660cd70d4d6acf1b2fcaaaa3a286fd925f33a60cdefecf320e22ef9a8ebf210116f333a49d521f59

                    • C:\ProgramData\Package Cache\{0f770e99-3916-4b0c-8f9b-83822826bcbf}\VC_redist.x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20201120012022_000_vcRuntimeMinimum_x64.log

                      MD5

                      e62dac93ea9853659b11860b151af47e

                      SHA1

                      f1e84d7c04f1ae7ac301891c7e7e91e9e1a6aab0

                      SHA256

                      a642625383439222c31e099ba6a564150fbb474acfdc51a469934db19a51e07d

                      SHA512

                      bebe28ea30a1207bcfce9aa5890d4d6035769069a5515c7804f8352a08f24e0739a4eb6efb74205270e8967f7c90edc0a0dc6c8e04ae465901ea32d34e042917

                    • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20201120012022_001_vcRuntimeAdditional_x64.log

                      MD5

                      925b2dcac533d9739a64379a0c2bb028

                      SHA1

                      ce8d981b57a8d33f2bebc0e96bd49c58e2bc5dd6

                      SHA256

                      cc88098ad198d9fc2f2df98a6e0e3b865a03675e3d47ef0720955e7191234d0e

                      SHA512

                      f07134a8e9c6577c35341da8f7813c91b7ddfd12fc9623f56db5a7c68961406d71a196c9c17a817f27d9dd4a0086f7b4f0b2b15fe2b6953f357a709e951420b1

                    • C:\Users\Admin\AppData\Local\Temp\nsyC026.tmp\NPFInstall.exe

                      MD5

                      f93eedcb0df2ef914ed51cc927a1fde9

                      SHA1

                      55056db79c0963883931e4c59222827129137c85

                      SHA256

                      7b2495ccfdd27823a657caec81e82494da112142d74079637737c2bb767ec6b3

                      SHA512

                      9d5ae513d6e73ebb1286284e130f1ba0d1781215587696d8492bd9d8d3cbc05931bb42add9edae83132b4e3b078387413d97b43c122c2cdd1fa0094eb71a4b71

                    • C:\Users\Admin\AppData\Local\Temp\{692E5~1\npcap.cat

                      MD5

                      f46c53fa7b243138ab78a47d07275e1c

                      SHA1

                      dc678606cdd4925e12b2b7a443d587577704a2be

                      SHA256

                      6424cb07e18a3a5a529f6dd30ffa4fca2b68fa876a47e68dd780c1092797b6f3

                      SHA512

                      0c6bb99d989810b9a3c7dbf8aa754ef48d812c395e418200a2accf9b3f5e2eda6fd36a0befc84ff1636bd60388ff86faa3d1a202666d3841468c0bf6d2ba0251

                    • C:\Users\Admin\AppData\Local\Temp\{692E5~1\npcap.sys

                      MD5

                      36359bf032d182de5d34ebbf40f90692

                      SHA1

                      1117afea33fea16f31f1c7fd6406b647eaa09e40

                      SHA256

                      54576ddbef03976f6c281740d1f237daf8ccb72f139bb064516a84327907600f

                      SHA512

                      087aa9a677e80c165d200d5f0aa58eb42a71564618e667d21a570cfdcd3a92e003368ccc2ae151f76d6b95d3ceeb72d3b60a0495701dc00dab85e429a9a72e77

                    • C:\Users\Admin\AppData\Local\Temp\{692e585a-1a80-2a43-a379-ca119a5e1108}\NPCAP.inf

                      MD5

                      04d790525824c90010766480189c4e92

                      SHA1

                      26119ae5bd78642244e7248f037eda141827cb4a

                      SHA256

                      ca4aea82d315ee69edaa8988bf1f7a9ab6f617f715e580b3c548a711e869511a

                      SHA512

                      58d7091d1978a230cea9066a5a520659438531810f2c7c34583776ea72405dceb62624810ba00eb2812f7e2c118a3925a7cd9808b53f3d8ef40bc38d8aaa0a20

                    • C:\Windows\INF\netloop.PNF

                      MD5

                      ce41bfe3a2fbe71f8b5f5a18c24acd87

                      SHA1

                      0bafc66b94497ba5a5077377f18eae5f639a653e

                      SHA256

                      6db5955a1baef58285b7ca96b530777bd24c155f9780894b4c9a86193feea698

                      SHA512

                      e5a08e778584cd3ec4511dd22dbe06fbeab1d251fc1621d32664b2555ce2520d8582ad7615d7a0962f6b1b8e0b513c17464f040c9e9ba5379fe3f9fcaa384918

                    • C:\Windows\INF\oem2.inf

                      MD5

                      04d790525824c90010766480189c4e92

                      SHA1

                      26119ae5bd78642244e7248f037eda141827cb4a

                      SHA256

                      ca4aea82d315ee69edaa8988bf1f7a9ab6f617f715e580b3c548a711e869511a

                      SHA512

                      58d7091d1978a230cea9066a5a520659438531810f2c7c34583776ea72405dceb62624810ba00eb2812f7e2c118a3925a7cd9808b53f3d8ef40bc38d8aaa0a20

                    • C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_9a1cea654bb8e715\npcap.inf

                      MD5

                      04d790525824c90010766480189c4e92

                      SHA1

                      26119ae5bd78642244e7248f037eda141827cb4a

                      SHA256

                      ca4aea82d315ee69edaa8988bf1f7a9ab6f617f715e580b3c548a711e869511a

                      SHA512

                      58d7091d1978a230cea9066a5a520659438531810f2c7c34583776ea72405dceb62624810ba00eb2812f7e2c118a3925a7cd9808b53f3d8ef40bc38d8aaa0a20

                    • C:\Windows\Temp\{617EF361-0FA7-4147-BD59-5D808AFA591D}\.be\VC_redist.x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • C:\Windows\Temp\{617EF361-0FA7-4147-BD59-5D808AFA591D}\.be\VC_redist.x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • C:\Windows\Temp\{617EF361-0FA7-4147-BD59-5D808AFA591D}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

                      MD5

                      5c2a82f74a564f4bd605207dc8845b18

                      SHA1

                      a3681d7e7cbc9e4cde84b85f55bdc94f079fa17f

                      SHA256

                      c4766867d211cc60069f2bc088d80aecb64f1d62d0d1116993f34a22e62073cf

                      SHA512

                      af19f506441db43096ee211864e7de39248975b8a18b5b99078b31ee0ed5e659b8838bac11499d0fe8bf971ffd73c50a3cbc01efa67e62ac192a6c041699b726

                    • C:\Windows\Temp\{617EF361-0FA7-4147-BD59-5D808AFA591D}\cab5046A8AB272BF37297BB7928664C9503

                      MD5

                      e76673ff437d9953e47bc7dff98cca82

                      SHA1

                      b3b8cda5d4ae340fb381e06124da63f1f753fbdf

                      SHA256

                      9ae5e7da815b59ba58b8d40d0438d96b02bcadde8d5afb4e359b2118ac968f95

                      SHA512

                      003f2b8c5c8556a7fa1e12b49d2b36bdd0a8581e41952e9eda76bcf3cb85f546fbd8df242cc8d46d6ea0b79979d7a4ac0380100a17ed4c7e016be86fc21d9dd3

                    • C:\Windows\Temp\{617EF361-0FA7-4147-BD59-5D808AFA591D}\vcRuntimeAdditional_x64

                      MD5

                      c67f21677ad09aaec06560558d0b61e3

                      SHA1

                      092eb8fafc5ae0105234112ea782be0147b6822e

                      SHA256

                      13de3270d5ec9025c818089a2bd514d4dce1d784083ab36ca7350c4ec2a32737

                      SHA512

                      7c46dc50be247d7927e9761927a04457565736d9c35bf81862e8131e5115766e404f2412ea176f4f7119c91eeb59ebf321cc04d54dc0cad55c811838d4098ad7

                    • C:\Windows\Temp\{617EF361-0FA7-4147-BD59-5D808AFA591D}\vcRuntimeMinimum_x64

                      MD5

                      1aadae6e83982688768731a678a37568

                      SHA1

                      18ec1cf86e1788d82ed5aabccf22747577f30edb

                      SHA256

                      c646c4ccaedcf755e296027f34f40c0b50469f0358fdc6bb266b42fee94de58c

                      SHA512

                      2dbde85f2c96bd127eabc8e1095fe6e9b232bd13335257e3a2a5c30c14e91a677c8c80a52386bfb9ab89f3dad42f4fc151bf0ddd31383a137a9631eb78f92b2e

                    • C:\Windows\Temp\{7B77361D-0F87-4944-A9CE-997E8AB2D6A8}\.cr\vcredist_x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • C:\Windows\Temp\{7B77361D-0F87-4944-A9CE-997E8AB2D6A8}\.cr\vcredist_x64.exe

                      MD5

                      968e1c550c1254a3d5f63f4a78ac3b2b

                      SHA1

                      1b1427bf86c326e1f402887af5082653129cf03e

                      SHA256

                      bd6e4dae56565a5be06b849a596ff2a552b2d89de96014f0dbbce5d8e4ab39f6

                      SHA512

                      d5b53a0a7fbc5316228e101ebc753df373c2d795dc89678f33280bc4835cd400edf653ea9f7b0dbf6d03c31048ebc88ae17d9618ea3a805f96ca71502299515f

                    • \Users\Admin\AppData\Local\Temp\nsf6171.tmp\InstallOptions.dll

                      MD5

                      09d8971beefefffd710030dd167a99e0

                      SHA1

                      a0117786ad77213f3eb48cfdc3819786cb796b7d

                      SHA256

                      caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95

                      SHA512

                      3956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0

                    • \Users\Admin\AppData\Local\Temp\nsf6171.tmp\InstallOptions.dll

                      MD5

                      09d8971beefefffd710030dd167a99e0

                      SHA1

                      a0117786ad77213f3eb48cfdc3819786cb796b7d

                      SHA256

                      caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95

                      SHA512

                      3956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0

                    • \Users\Admin\AppData\Local\Temp\nsf6171.tmp\InstallOptions.dll

                      MD5

                      09d8971beefefffd710030dd167a99e0

                      SHA1

                      a0117786ad77213f3eb48cfdc3819786cb796b7d

                      SHA256

                      caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95

                      SHA512

                      3956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0

                    • \Users\Admin\AppData\Local\Temp\nsf6171.tmp\InstallOptions.dll

                      MD5

                      09d8971beefefffd710030dd167a99e0

                      SHA1

                      a0117786ad77213f3eb48cfdc3819786cb796b7d

                      SHA256

                      caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95

                      SHA512

                      3956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0

                    • \Users\Admin\AppData\Local\Temp\nsf6171.tmp\System.dll

                      MD5

                      8cf2ac271d7679b1d68eefc1ae0c5618

                      SHA1

                      7cc1caaa747ee16dc894a600a4256f64fa65a9b8

                      SHA256

                      6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

                      SHA512

                      ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

                    • \Users\Admin\AppData\Local\Temp\nsf6171.tmp\nsDialogs.dll

                      MD5

                      ec9640b70e07141febbe2cd4cc42510f

                      SHA1

                      64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

                      SHA256

                      c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

                      SHA512

                      47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\InstallOptions.dll

                      MD5

                      d8bfba73978801ed5c291b847ae6ed0f

                      SHA1

                      afd973df6c0fd92372b787f2a06a02fa4c03b877

                      SHA256

                      75fca8af133756a0d36ad9b6177ef8ee01b6dd18ede216d82b2eb5f8092a84cd

                      SHA512

                      62b921725c727247b96622765caa4ddec1126980e677764f9bdb5e68eae50044747f0ee99744c44b7a7253a57e3c28a2fc19a99d479787aa4944499871db92f2

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\InstallOptions.dll

                      MD5

                      d8bfba73978801ed5c291b847ae6ed0f

                      SHA1

                      afd973df6c0fd92372b787f2a06a02fa4c03b877

                      SHA256

                      75fca8af133756a0d36ad9b6177ef8ee01b6dd18ede216d82b2eb5f8092a84cd

                      SHA512

                      62b921725c727247b96622765caa4ddec1126980e677764f9bdb5e68eae50044747f0ee99744c44b7a7253a57e3c28a2fc19a99d479787aa4944499871db92f2

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\SimpleSC.dll

                      MD5

                      4a2b58bd7cab29463d9e53fcb9a252b6

                      SHA1

                      4679ba66db7989a64c41892bbb3f7cec38fb5597

                      SHA256

                      18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

                      SHA512

                      e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\SimpleSC.dll

                      MD5

                      4a2b58bd7cab29463d9e53fcb9a252b6

                      SHA1

                      4679ba66db7989a64c41892bbb3f7cec38fb5597

                      SHA256

                      18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

                      SHA512

                      e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\SimpleSC.dll

                      MD5

                      4a2b58bd7cab29463d9e53fcb9a252b6

                      SHA1

                      4679ba66db7989a64c41892bbb3f7cec38fb5597

                      SHA256

                      18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

                      SHA512

                      e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\SimpleSC.dll

                      MD5

                      4a2b58bd7cab29463d9e53fcb9a252b6

                      SHA1

                      4679ba66db7989a64c41892bbb3f7cec38fb5597

                      SHA256

                      18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

                      SHA512

                      e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\SimpleSC.dll

                      MD5

                      4a2b58bd7cab29463d9e53fcb9a252b6

                      SHA1

                      4679ba66db7989a64c41892bbb3f7cec38fb5597

                      SHA256

                      18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

                      SHA512

                      e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\SimpleSC.dll

                      MD5

                      4a2b58bd7cab29463d9e53fcb9a252b6

                      SHA1

                      4679ba66db7989a64c41892bbb3f7cec38fb5597

                      SHA256

                      18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

                      SHA512

                      e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\System.dll

                      MD5

                      6a2f80ed640b6c2458329c2d3f8d9e3f

                      SHA1

                      c6dba02a05dbf15aa5de3ac1464bc9dce995eb80

                      SHA256

                      1e981423fda8f74e9a7079675c1a6fe55c716d4c0d50fb03ea482ff7500db14b

                      SHA512

                      00d49b1874d76b150a646ac40032b34608e548cfd806642982e446619c9852a0ab5389791468651c4d51d118aad502174e7b887c2b5b6a7a3e35ddd9bd50d722

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Users\Admin\AppData\Local\Temp\nsyC026.tmp\nsExec.dll

                      MD5

                      78bda400d7b80858c014fc79bd8fc49b

                      SHA1

                      f5bb0e85ba892611cf79b3c2756e87a59e1e213c

                      SHA256

                      6bd24522cd139c978cc259d5612188053577ba9de46e2d77642bd4d19fc959d4

                      SHA512

                      95a1aced8deaad51ad7990b83f0e5768fab9e1c7aa64d9fd656baa850d81c0955b7989ce08a02fedbb8c9d77ec135b2a9d132effbfc0f8478a052095140c74cc

                    • \Windows\Temp\{1CF482EF-8EA4-4FBD-B356-C6EEC2DA790A}\.ba\wixstdba.dll

                      MD5

                      eab9caf4277829abdf6223ec1efa0edd

                      SHA1

                      74862ecf349a9bedd32699f2a7a4e00b4727543d

                      SHA256

                      a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

                      SHA512

                      45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

                    • \Windows\Temp\{617EF361-0FA7-4147-BD59-5D808AFA591D}\.ba\wixstdba.dll

                      MD5

                      eab9caf4277829abdf6223ec1efa0edd

                      SHA1

                      74862ecf349a9bedd32699f2a7a4e00b4727543d

                      SHA256

                      a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

                      SHA512

                      45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

                    • memory/352-84-0x000002422DFB0000-0x000002422DFB1000-memory.dmp

                    • memory/352-31-0x000002422E710000-0x000002422E718000-memory.dmp

                    • memory/352-27-0x000002422E710000-0x000002422E718000-memory.dmp

                    • memory/352-25-0x000002422E710000-0x000002422E718000-memory.dmp

                    • memory/912-124-0x0000000000000000-mapping.dmp

                    • memory/1060-149-0x0000000000000000-mapping.dmp

                    • memory/1160-146-0x0000000000000000-mapping.dmp

                    • memory/1236-97-0x0000000000000000-mapping.dmp

                    • memory/1340-13-0x0000000000000000-mapping.dmp

                    • memory/1396-118-0x0000000000000000-mapping.dmp

                    • memory/1444-121-0x0000000000000000-mapping.dmp

                    • memory/1708-130-0x0000000000000000-mapping.dmp

                    • memory/1748-101-0x0000000000000000-mapping.dmp

                    • memory/2136-17-0x0000000000000000-mapping.dmp

                    • memory/2700-136-0x0000000000000000-mapping.dmp

                    • memory/2704-10-0x0000000000000000-mapping.dmp

                    • memory/2924-98-0x0000000000000000-mapping.dmp

                    • memory/3412-102-0x0000000000000000-mapping.dmp

                    • memory/3412-156-0x0000000003030000-0x0000000003031000-memory.dmp

                    • memory/3412-154-0x0000000003030000-0x0000000003031000-memory.dmp

                    • memory/3412-142-0x0000000003030000-0x0000000003031000-memory.dmp

                    • memory/3412-144-0x0000000003030000-0x0000000003031000-memory.dmp

                    • memory/3412-106-0x0000000003030000-0x0000000003031000-memory.dmp

                    • memory/3776-150-0x0000000000000000-mapping.dmp

                    • memory/3860-173-0x0000000000000000-mapping.dmp

                    • memory/4020-114-0x0000000000000000-mapping.dmp