afafbdec1ba92a21549741d7a07d98a94e5986642f3fc87621cedf557f9ed6b0

Analysis

max time kernel
10s
max time network
26s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25/02/2024, 00:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

NoPingSetup.exe
Size

104.0MB
MD5

8ddb03b1ca26db7e67fdcdc72a1fe8e6
SHA1

c36ea15daf1d7714e6b07b74ad7a2855c0bc85e0
SHA256

afafbdec1ba92a21549741d7a07d98a94e5986642f3fc87621cedf557f9ed6b0
SHA512

7dd7948c95a70f2e644b2185933fcdfd7b9302d2d32278272cc613b228ea039a241814f9fe2dea12eb25c695eadb85789e3002b8406e8669e0dd54ce46c913a3
SSDEEP

1572864:oiJX0FGgQi+annVsZl6CpzVtGPE+/aUQZIf/3NTMMqw7ALIo7KOpttD7y0/5QB6y:za7PVM0E+3+/wcL1De0/i4kDe0/F

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 19 IoCs

pid	Process
736	NoPingSetup.exe
736	NoPingSetup.exe
736	NoPingSetup.exe
736	NoPingSetup.exe
736	NoPingSetup.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
736	NoPingSetup.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	1008	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	NoPingSetup.exe
File opened (read-only)	\??\V:	NoPingSetup.exe
File opened (read-only)	\??\Z:	NoPingSetup.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	NoPingSetup.exe
File opened (read-only)	\??\H:	NoPingSetup.exe
File opened (read-only)	\??\K:	NoPingSetup.exe
File opened (read-only)	\??\M:	NoPingSetup.exe
File opened (read-only)	\??\O:	NoPingSetup.exe
File opened (read-only)	\??\R:	NoPingSetup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	NoPingSetup.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	NoPingSetup.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	NoPingSetup.exe
File opened (read-only)	\??\J:	NoPingSetup.exe
File opened (read-only)	\??\Q:	NoPingSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	NoPingSetup.exe
File opened (read-only)	\??\U:	NoPingSetup.exe
File opened (read-only)	\??\X:	NoPingSetup.exe
File opened (read-only)	\??\Y:	NoPingSetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	NoPingSetup.exe
File opened (read-only)	\??\I:	NoPingSetup.exe
File opened (read-only)	\??\W:	NoPingSetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	NoPingSetup.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	NoPingSetup.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{83167E82-4B32-4E4C-A800-950874580ED5}.job	NoPingSetup.exe
File created	C:\Windows\Installer\e57bd93.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bd93.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A\Blob = 190000000100000010000000683f58e5528121a89cf21532e700535f030000000100000014000000743af0529bd032a0f44a83cdd4baa97b7c2ec49a1d000000010000001000000056073d58ce8c0d7b5056f74735db0b62140000000100000014000000f960bbd4e3d534f6b8f5068025a773db4669a89e6200000001000000200000002e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c09000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080b000000010000005e000000530053004c002e0063006f006d00200045005600200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900200052005300410020005200320000005300000001000000850000003081823022060c2b0601040182a9300103010430123010060a2b0601040182373c0101030200c03022060c2b0601040182a9300103030230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000020000000cf1152c4bfbd96b6d381b61e0c66e7a74b1185518120396449abe53aaadf640b2000000001000000ef050000308205eb308203d3a003020102020856b629cd34bc78f6300d06092a864886f70d01010b0500308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f7269747920525341205232301e170d3137303533313138313433375a170d3432303533303138313433375a308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f726974792052534120523230820222300d06092a864886f70d01010105000382020f003082020a02820201008f366540e1d64dc0d7b4e946da6bea3347cd4cf97d7dbebd2d3df0db78e186a5d9ba095768ed573ea0d0084183e72841241fe37215d0011afb5e7023b2cb9f39e3cfc54ec6926d26c67bbbb3da279d0a86e9813705fef07171ecc31ce963a217149def1b67d385550202d649c9cc5ae1b1f76f329fc9d43b8841a89cbdcbabdb6d7b091fa24c7290da2b08fccf3c54ce670fa8cf5d96190bc4e372ebadd17d1d27ef92eb10bf5beb3bafcf80ddc1d296045b7a7ea4a93c3876a4628ea0395eea77cf5d00598f662c3e07a2a30526116997ea85b70f960b4bc840e150ba2e8acbf70f9a22e77f9a3713cdf24d136b21d1c0cc22f2a146f644699cca613507006fd6610811eabab8f6e9b360e54db9ec9f1466c95758dbcd8769f88a86120347bf661376ac777d34248583cdd7aa9c901a9f212c7f78b764b8d8e8a6f478b355cb84d232c478aea38f61ddce0853adec88fc15e49a0de69f1a77ce4c8fb814153d629c863806006612e459765a53c00298a2102b68447b8e79ce334a76aa5b81161bb58ad8d0007b5e62b409d686630ea6059549ba288b8893b2341cd8a4556eb71cd0de99553b23f422e0f9296626ec205077db4a0b8fbee5026070415ed4ae5039221426cbb23b7374554707798139a8301344e5048aae961325420fb953c49bfccde41cde3cfaabd6064a1f67a698301cdd2cdbdc18955766c6ff5c8b56f5770203010001a3633061300f0603551d130101ff040530030101ff301f0603551d23041830168014f960bbd4e3d534f6b8f5068025a773db4669a89e301d0603551d0e04160414f960bbd4e3d534f6b8f5068025a773db4669a89e300e0603551d0f0101ff040403020186300d06092a864886f70d01010b0500038202010056b38ecb0a9d498ebfa4c491bb661705519875fbe5502c7a9ef114faabd38a3eff91298f638bd8b4a954010dbe93862ff94a6dc75ef557f9ca551c12be470f36c5df6ab7db75c247257fb9f163f8682d5504d1f28db0a4cfbc3c5e1f78e7a5a02070b004c5b7f772a7de220dbd3325468c649226e33e2e6396da9b8c3df81809d703cc7d8682e0ca04075150d7ff92d50cefda869f99d7ebb7af68e2392694ba68b7bf83d3ea7a673d6267ae25e572e8e2e4ecae12f64b2b3c9fe9b040f33854b3fdb768c8dac68f513cb2fb91dc1ce79b9de1b70d728fe2a4c4a978f9eb14acc64305c26539281802c382b29d05be65ed965f65743cfb09352e7b9c13fd1b0f5dc76d813a560fcc3be1af022f22ac46ca463ca01c4cd644b45e2e5c156609e12629fec65261bab173ffc30c9ce56c6a943f14ca40169584f359a9ac5f4c61936dd13bcca2950c22a66767442eb9d9d28a41b3660b5afb7d23a5f21ab0ffde9b83942ed13fdf92b791af053b65c7a06cb1cd6212c3901be325ce34bc6f7776b110c3f7051ac0d6af7462481777926990611cde958074548f181cc3f303d0bfa443758653187a0a2e091c369f91fd828a224bd10e5025ddcb030c17c98300084e354d8a8bedf00294662c447fcb95279617ad0930acb671176e8b17f61c09d42d3b98a571d35413d960f3f54b664ffaf1ee20128db4ac57b14563a1ac76a9c2fb	NoPingSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A	NoPingSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A\Blob = 0f0000000100000020000000cf1152c4bfbd96b6d381b61e0c66e7a74b1185518120396449abe53aaadf640b5300000001000000850000003081823022060c2b0601040182a9300103010430123010060a2b0601040182373c0101030200c03022060c2b0601040182a9300103030230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000005e000000530053004c002e0063006f006d00200045005600200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100200052003200000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000002e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c140000000100000014000000f960bbd4e3d534f6b8f5068025a773db4669a89e1d000000010000001000000056073d58ce8c0d7b5056f74735db0b62030000000100000014000000743af0529bd032a0f44a83cdd4baa97b7c2ec49a2000000001000000ef050000308205eb308203d3a003020102020856b629cd34bc78f6300d06092a864886f70d01010b0500308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f7269747920525341205232301e170d3137303533313138313433375a170d3432303533303138313433375a308182310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3137303506035504030c2e53534c2e636f6d20455620526f6f742043657274696669636174696f6e20417574686f726974792052534120523230820222300d06092a864886f70d01010105000382020f003082020a02820201008f366540e1d64dc0d7b4e946da6bea3347cd4cf97d7dbebd2d3df0db78e186a5d9ba095768ed573ea0d0084183e72841241fe37215d0011afb5e7023b2cb9f39e3cfc54ec6926d26c67bbbb3da279d0a86e9813705fef07171ecc31ce963a217149def1b67d385550202d649c9cc5ae1b1f76f329fc9d43b8841a89cbdcbabdb6d7b091fa24c7290da2b08fccf3c54ce670fa8cf5d96190bc4e372ebadd17d1d27ef92eb10bf5beb3bafcf80ddc1d296045b7a7ea4a93c3876a4628ea0395eea77cf5d00598f662c3e07a2a30526116997ea85b70f960b4bc840e150ba2e8acbf70f9a22e77f9a3713cdf24d136b21d1c0cc22f2a146f644699cca613507006fd6610811eabab8f6e9b360e54db9ec9f1466c95758dbcd8769f88a86120347bf661376ac777d34248583cdd7aa9c901a9f212c7f78b764b8d8e8a6f478b355cb84d232c478aea38f61ddce0853adec88fc15e49a0de69f1a77ce4c8fb814153d629c863806006612e459765a53c00298a2102b68447b8e79ce334a76aa5b81161bb58ad8d0007b5e62b409d686630ea6059549ba288b8893b2341cd8a4556eb71cd0de99553b23f422e0f9296626ec205077db4a0b8fbee5026070415ed4ae5039221426cbb23b7374554707798139a8301344e5048aae961325420fb953c49bfccde41cde3cfaabd6064a1f67a698301cdd2cdbdc18955766c6ff5c8b56f5770203010001a3633061300f0603551d130101ff040530030101ff301f0603551d23041830168014f960bbd4e3d534f6b8f5068025a773db4669a89e301d0603551d0e04160414f960bbd4e3d534f6b8f5068025a773db4669a89e300e0603551d0f0101ff040403020186300d06092a864886f70d01010b0500038202010056b38ecb0a9d498ebfa4c491bb661705519875fbe5502c7a9ef114faabd38a3eff91298f638bd8b4a954010dbe93862ff94a6dc75ef557f9ca551c12be470f36c5df6ab7db75c247257fb9f163f8682d5504d1f28db0a4cfbc3c5e1f78e7a5a02070b004c5b7f772a7de220dbd3325468c649226e33e2e6396da9b8c3df81809d703cc7d8682e0ca04075150d7ff92d50cefda869f99d7ebb7af68e2392694ba68b7bf83d3ea7a673d6267ae25e572e8e2e4ecae12f64b2b3c9fe9b040f33854b3fdb768c8dac68f513cb2fb91dc1ce79b9de1b70d728fe2a4c4a978f9eb14acc64305c26539281802c382b29d05be65ed965f65743cfb09352e7b9c13fd1b0f5dc76d813a560fcc3be1af022f22ac46ca463ca01c4cd644b45e2e5c156609e12629fec65261bab173ffc30c9ce56c6a943f14ca40169584f359a9ac5f4c61936dd13bcca2950c22a66767442eb9d9d28a41b3660b5afb7d23a5f21ab0ffde9b83942ed13fdf92b791af053b65c7a06cb1cd6212c3901be325ce34bc6f7776b110c3f7051ac0d6af7462481777926990611cde958074548f181cc3f303d0bfa443758653187a0a2e091c369f91fd828a224bd10e5025ddcb030c17c98300084e354d8a8bedf00294662c447fcb95279617ad0930acb671176e8b17f61c09d42d3b98a571d35413d960f3f54b664ffaf1ee20128db4ac57b14563a1ac76a9c2fb	NoPingSetup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe
4952	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1008	msiexec.exe
Token: SeCreateTokenPrivilege	736	NoPingSetup.exe
Token: SeAssignPrimaryTokenPrivilege	736	NoPingSetup.exe
Token: SeLockMemoryPrivilege	736	NoPingSetup.exe
Token: SeIncreaseQuotaPrivilege	736	NoPingSetup.exe
Token: SeMachineAccountPrivilege	736	NoPingSetup.exe
Token: SeTcbPrivilege	736	NoPingSetup.exe
Token: SeSecurityPrivilege	736	NoPingSetup.exe
Token: SeTakeOwnershipPrivilege	736	NoPingSetup.exe
Token: SeLoadDriverPrivilege	736	NoPingSetup.exe
Token: SeSystemProfilePrivilege	736	NoPingSetup.exe
Token: SeSystemtimePrivilege	736	NoPingSetup.exe
Token: SeProfSingleProcessPrivilege	736	NoPingSetup.exe
Token: SeIncBasePriorityPrivilege	736	NoPingSetup.exe
Token: SeCreatePagefilePrivilege	736	NoPingSetup.exe
Token: SeCreatePermanentPrivilege	736	NoPingSetup.exe
Token: SeBackupPrivilege	736	NoPingSetup.exe
Token: SeRestorePrivilege	736	NoPingSetup.exe
Token: SeShutdownPrivilege	736	NoPingSetup.exe
Token: SeDebugPrivilege	736	NoPingSetup.exe
Token: SeAuditPrivilege	736	NoPingSetup.exe
Token: SeSystemEnvironmentPrivilege	736	NoPingSetup.exe
Token: SeChangeNotifyPrivilege	736	NoPingSetup.exe
Token: SeRemoteShutdownPrivilege	736	NoPingSetup.exe
Token: SeUndockPrivilege	736	NoPingSetup.exe
Token: SeSyncAgentPrivilege	736	NoPingSetup.exe
Token: SeEnableDelegationPrivilege	736	NoPingSetup.exe
Token: SeManageVolumePrivilege	736	NoPingSetup.exe
Token: SeImpersonatePrivilege	736	NoPingSetup.exe
Token: SeCreateGlobalPrivilege	736	NoPingSetup.exe
Token: SeCreateTokenPrivilege	736	NoPingSetup.exe
Token: SeAssignPrimaryTokenPrivilege	736	NoPingSetup.exe
Token: SeLockMemoryPrivilege	736	NoPingSetup.exe
Token: SeIncreaseQuotaPrivilege	736	NoPingSetup.exe
Token: SeMachineAccountPrivilege	736	NoPingSetup.exe
Token: SeTcbPrivilege	736	NoPingSetup.exe
Token: SeSecurityPrivilege	736	NoPingSetup.exe
Token: SeTakeOwnershipPrivilege	736	NoPingSetup.exe
Token: SeLoadDriverPrivilege	736	NoPingSetup.exe
Token: SeSystemProfilePrivilege	736	NoPingSetup.exe
Token: SeSystemtimePrivilege	736	NoPingSetup.exe
Token: SeProfSingleProcessPrivilege	736	NoPingSetup.exe
Token: SeIncBasePriorityPrivilege	736	NoPingSetup.exe
Token: SeCreatePagefilePrivilege	736	NoPingSetup.exe
Token: SeCreatePermanentPrivilege	736	NoPingSetup.exe
Token: SeBackupPrivilege	736	NoPingSetup.exe
Token: SeRestorePrivilege	736	NoPingSetup.exe
Token: SeShutdownPrivilege	736	NoPingSetup.exe
Token: SeDebugPrivilege	736	NoPingSetup.exe
Token: SeAuditPrivilege	736	NoPingSetup.exe
Token: SeSystemEnvironmentPrivilege	736	NoPingSetup.exe
Token: SeChangeNotifyPrivilege	736	NoPingSetup.exe
Token: SeRemoteShutdownPrivilege	736	NoPingSetup.exe
Token: SeUndockPrivilege	736	NoPingSetup.exe
Token: SeSyncAgentPrivilege	736	NoPingSetup.exe
Token: SeEnableDelegationPrivilege	736	NoPingSetup.exe
Token: SeManageVolumePrivilege	736	NoPingSetup.exe
Token: SeImpersonatePrivilege	736	NoPingSetup.exe
Token: SeCreateGlobalPrivilege	736	NoPingSetup.exe
Token: SeCreateTokenPrivilege	736	NoPingSetup.exe
Token: SeAssignPrimaryTokenPrivilege	736	NoPingSetup.exe
Token: SeLockMemoryPrivilege	736	NoPingSetup.exe
Token: SeIncreaseQuotaPrivilege	736	NoPingSetup.exe
Token: SeMachineAccountPrivilege	736	NoPingSetup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
736	NoPingSetup.exe
736	NoPingSetup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 4952	1008	msiexec.exe	86
PID 1008 wrote to memory of 4952	1008	msiexec.exe	86
PID 1008 wrote to memory of 4952	1008	msiexec.exe	86
PID 4952 wrote to memory of 1104	4952	MsiExec.exe	88
PID 4952 wrote to memory of 1104	4952	MsiExec.exe	88
PID 4952 wrote to memory of 1104	4952	MsiExec.exe	88
PID 736 wrote to memory of 2852	736	NoPingSetup.exe	90
PID 736 wrote to memory of 2852	736	NoPingSetup.exe	90
PID 736 wrote to memory of 2852	736	NoPingSetup.exe	90

C:\Users\Admin\AppData\Local\Temp\NoPingSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NoPingSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\NoPing\NoPing\prerequisites\Windows Packet Filter 3.2.32.1 x64.msi" /qn
  2⤵
  PID:2852

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 32F77BC6296AAF783CB150B9649127E0 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\NoPingSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\NoPingSetup.exe" /groupsextract:102; /out:"C:\Users\Admin\AppData\Roaming\NoPing\NoPing\prerequisites" /callbackid:4952
    3⤵
    PID:1104
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 21E21994983757EF5F00FCDAB45E5A86 E Global\MSI0000
  2⤵
  PID:4500
- - C:\Windows\system32\certutil.exe
    "C:\Windows\system32\certutil.exe" -addstore -f "TrustedPublisher" "C:\Program Files\Windows Packet Filter\certificates\root.cer"
    3⤵
    PID:5380
- - C:\Windows\system32\netcfg.exe
    "C:\Windows\system32\netcfg.exe" -v -l "C:\Program Files\Windows Packet Filter\drivers\ndisrd_lwf.inf" -c s -i nt_ndisrd
    3⤵
    PID:5460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
PID:5516
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Windows Packet Filter\drivers\ndisrd_lwf.inf" "9" "4fed96993" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Windows Packet Filter\drivers"
  2⤵
  PID:5552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\WINDOW~1\drivers\ndisrd.cat

Filesize
10KB

MD5
57f18ba4482ce389813f1d9a7e4c25e2

SHA1
80952e76258d61bb2857a2cdad0b5f08d23f3f50

SHA256
b5d021d96b29b9c961c135dc992b68aea4380653b7179747b0f39e4a019a6f57

SHA512
f5812729085dfe557c2e48a74168064f501a274ea0f6bfbd590b67bd144a48d6b8576f04739b53d871fdb999ff7f5c2e6a7d025ae6d561eca1a376c4983efea8

Download Submit
C:\PROGRA~1\WINDOW~1\drivers\ndisrd.sys

Filesize
56KB

MD5
36b09f1926e69866333f33a87ae87c54

SHA1
120c914cb5a1c96971514a392acb9150ed1d748d

SHA256
8e9a3db5d50cea173fcf7f93552bd62846af4b92cafa8c25e55fff88a5a1d364

SHA512
3f4c6fd484666f4a4942ca92e124a48e3d1f3891ac613b6e14a79c2f9036006162ea46bcbcdd6901abeadbe45785f82561acd827299ab87000f626d644dea920

Download Submit
C:\Program Files\Windows Packet Filter\certificates\root.cer

Filesize
1KB

MD5
6a3ba8df688d08464008efa7ae49be8d

SHA1
fdb7cffe05417c221025e753bc3999e44d10c22a

SHA256
a09f01679b590ef637341dc874fb846581caecff0571036493ac42f4ff9ce335

SHA512
6109c023c87b1688b542baca5f94a7d4029e83fafbdec6e5dac811c80fb6ad7a17073a8896bae2a12620e21a364a75945e2fbfba7380a65a2ad665597c201788

Download Submit
C:\Program Files\Windows Packet Filter\drivers\ndisrd_lwf.inf

Filesize
2KB

MD5
7037faf01371f8f2b40acd965624f564

SHA1
df69062aeef984b957290d6b9216319ef19a8a57

SHA256
bff2d6c7975e221074c2a20c74f8671f191e7a43dcf9e7435366213dc40ac993

SHA512
29758763b23efd18f037c9695eb4f949feebfa15e41e2cfe3635d1163515e349fdc95de595215e5996ea3f6db1b15ee2f28c968e788b78e43b6dcf46dd04c0ed

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\5d51b84050869a5337d42184\2.15.8\tracking.ini

Filesize
84B

MD5
59f98bd7304552fc5b08b69c874b512c

SHA1
5a07a8eb582309a6a148eb408cd520e9955b295d

SHA256
604dcfc19a650bbddb7a718e62608969abebdbc812952fe2f42c48b8c1731168

SHA512
e6950c3f39556d01bb05443a9867ac643a798c60d623adbaff47aebc2da8ce3ebc66e3c13e525ec8956b80c36651e84ebd5786dbe99525965b573e1d82711990

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\5d51b84050869a5337d42184\2.15.8\{0E96B3D7-9307-4367-B620-6ECBFD2852D4}.session

Filesize
9KB

MD5
b5dc2c3725eeb0d50fc43f8d72a6a775

SHA1
7babda2f2b8ad020545a343060ecdd94d9e858f5

SHA256
6c10155cbc30998aeef300d83f8a62765dd3eae6a779ded9b7e5d21e0a4f80e6

SHA512
463038c08ff32b710270a653d06c1b21602ea1d297679ab81e658e49c94c9d1b34306d711b416cbd3975e3b5f6498c081fec3420b7b40fb76646cedf2becc549

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\5d51b84050869a5337d42184\2.15.8\{0E96B3D7-9307-4367-B620-6ECBFD2852D4}.session

Filesize
9KB

MD5
297928f403439c2a3f52e879f370eab5

SHA1
1f7ea6d226c46a0f23a724cf7773e670c5b69cc3

SHA256
2471aea26d8ab4781b728086e24953b3078975ac0e774a64338bd46ef3992357

SHA512
b41209cfc19e28956e3bc47be9db74fab4c592a08e07e8ea504b991e2f63974a54de1f9848e7af57c9ba5cd14260165a4ac2c0a581d2c76a7713711c3d2d68e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIEA41F.tmp

Filesize
5.2MB

MD5
6ff72f6da902335ed1150e1fc33d8851

SHA1
1eb6d898e64034db4e022c1a2c983322105904d8

SHA256
1b8e9fb8cf87de84fede1609bb6e0af3bd14923770b2e5b5dbdc8a3af1f417e8

SHA512
725167db08e7b55c7ad0a73dd7426b25d2b34be3bc33229b208df6ff10b5807b825f4c13e6c5d9eaa15ec018190ecb763b78368dab48187a49375209660108dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIEA41F.tmp

Filesize
5.2MB

MD5
0e4e992c2b43f0d4ff1ea59d358d9f05

SHA1
0173a0205bb6672919dff22e0a227450f176fe76

SHA256
d6839e192acb2f90e39e7022d65fba4560c8f825e138d2e06da04a2842a54610

SHA512
0464e399caef55b176b03ca80326f989ab00a02405485dd69c3ec14a65acff6a24b5ebf86291f495be8362e2073d5e640fecc87961656cc380da1644bb0ccbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_736\nopingbackground.bmp

Filesize
455KB

MD5
62268f7fd11af4a8a880d9c61113e7cc

SHA1
de0b193cfebf92774df0093367136e4fd594a88e

SHA256
4a17c06e672d3b997089b4c99137703c82be31e21888c12d5dbd5db9128dc50f

SHA512
aebf0c88f981a785e7334616cde72e82fe7605aca70d35bec075245f9f7339ef443d7e27b99ec505e909d96e6e678706fc800ecb9b7ce23812cd1faa057b9821

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_736\nopingcapa.bmp

Filesize
87KB

MD5
ca3b4618805596be0f16c9563ded4eeb

SHA1
6f55762a98819218819bd744cd84e5f5d1796643

SHA256
eae47f71faafd5c6597f2c0ad030168500be7d5e8dff908e9d0c8804b2f9ee4d

SHA512
abceeff59d3a28672e9f44be00405c5ae54ca193bdb36ef76fc307b827eeae7f10fa0003e8395fe5d770d2bcdba6902c40642de00fd3ee25919132df9ba442d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\INAAEDE.tmp

Filesize
727KB

MD5
6477efb82f12b11bae7a8a10cbe02d7e

SHA1
35ee1331af5d78f76b9a3aba5437d1058f31d834

SHA256
40c0576c36198324cf0b6bc7a812d974c53fec4ccc0d5d3cac10bfd2e8073e42

SHA512
39ad79bdeeaf76bacf6ce5e80c622c4330b79e0dab16e675a0fc0855189ec6c954de61c02adbd932db782176aec1ecf33a54f3909bbff44cc34a2a4a162be9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAF8C.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB039.tmp

Filesize
834KB

MD5
b0b2090c4200fb19e335598969a40f26

SHA1
e31d5533f85ef03dd8eb21723df14ff71586bb60

SHA256
e16ce1f8a1b24d03353502af35fa159ab9962b4ecce8f3bb9dd4b075552505cd

SHA512
177dad69d6773dab432a39a91f113949573caa3f3513e1e79361e9d74efe813746bd25a9101ec6436be7476cd77b663102d7ee138a01afbc902738e3ad75fce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB531.tmp

Filesize
525KB

MD5
1c62521f4ade74fe465aaf61049c3634

SHA1
758bd079f98c5f1153213a4c78ee25f89eb64fa6

SHA256
ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e

SHA512
4b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiB548.tmp

Filesize
1.5MB

MD5
49837c8e11395b788ed57ae565c2d528

SHA1
a94cfc43658c26c708ebd696512a19bee642ba4d

SHA256
da58d01b7d1ca0ede5551baf411a90f948564a659e1dd78e0b56b45d419709b7

SHA512
65e63c038802f066ebdca24a4c24682a4e84bda029652adfc0b2011cd619ea10cccacb751b3266b838fb040de340d80973f58a317ccbec3a3c720af01b34b94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiB578.tmp

Filesize
85KB

MD5
9055f8ba2eb52ec3d998d9a10201227e

SHA1
bbbb67ed2c844f6b99824072a615317596ebe5cb

SHA256
be69a9ade29f36d5da7aeff9dcfc521cf226b3b8a9d99e465be9db3cc56143ae

SHA512
207b8c264cd73ec983ee431fd7647ab6e80d37bd3aec0a6ea4474540607e77ea75d8389cea20a18b7d312dcefb71d630bb96895793c1d106bab0f590a56cb7b8

Download Submit
C:\Users\Admin\AppData\Roaming\NoPing\NoPing 2.15.8\install\1033.dll

Filesize
105KB

MD5
1b4e214ecaed73d23fbc5bc8534474e6

SHA1
f5e6dda10f04718866f6e5fc516f77e6425ceb01

SHA256
13757a6ce2be8f00ebf38ad4c9e2c44bf416d474a87d7bec808a1640473d51bc

SHA512
e19e6363402f9d46662d0a3a630b9ae064802ea314523b480ac5fa6f8bc9801c9bfa2fb66c49449250fbf274551bd82695c9486e9736d306f23b7fbe00a17ca9

Download Submit
C:\Users\Admin\AppData\Roaming\NoPing\NoPing 2.15.8\install\decoder.dll

Filesize
182KB

MD5
fc136d5c16573d1d1a64b0a62b586235

SHA1
8363d0d80fb25e4ace7b77efcfe119b7675913a1

SHA256
5a12236a02ba2984b62d7acfe5afb048e461fc4c76989d055ffe8965f212ebbf

SHA512
0ad82e28de1a65251eb536aef9739a76baaaa28a41dae78faacb82a9d1acd83d71816051dec16b7664e16a741706803d1fc0ad914bcdca4d28cb2ac2a05ff427

Download Submit
C:\Users\Admin\AppData\Roaming\NoPing\NoPing\prerequisites\Windows Packet Filter 3.2.32.1 x64.msi

Filesize
628KB

MD5
0dd117284e8e5c456116876acd81bb96

SHA1
caaeebd848aa6296b08a85e03164d8f922d3925e

SHA256
39ffe8ac933a53f0bfe1fe3a61065f597c48b53572a7a744867a028e391005f0

SHA512
a3f224e09a650396793659636a96bd57aa05d61ad0f5961393794dd8509cb41c80902cb47fbec95583a4e426dc49a13d08e92f011883a80792f7779130ca4e08

Download Submit
C:\Windows\Installer\MSIC322.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit