a1e9d2a0a36f1cb5b3fd09a3e07335f9987549fca015428369043031e2cc67cc

Analysis

max time kernel
134s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A Installer/npcap-1.79.exe
Size

1.1MB
MD5

a4d7e47df742f62080bf845d606045b4
SHA1

723743dc9fa4a190452a7ffc971adfaac91606fa
SHA256

a95577ebbc67fc45b319e2ef3a55f4e9b211fe82ed4cb9d8be6b1a9e2425ce53
SHA512

8582b51b5fea23de43803fa925d13f1eb6d91b708be133be745d7d6155082cd131c9b62dc6a08b77f419a239efe6eb55a98f02f5783c7cd46e284ec3241fc2ee
SSDEEP

24576:q7INqm36s9R26Vhund3idw1/fayC9nHgeFhPuKX+dXlVp0WgB4:v13TR2ChAdLpfaVgUuZXlVpk4

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3640 powershell.exe
2588 powershell.exe
2604 powershell.exe
2540 powershell.exe
2396 powershell.exe
1124 powershell.exe

pid	process
3640	powershell.exe
2588	powershell.exe
2604	powershell.exe
2540	powershell.exe
2396	powershell.exe
1124	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

NPFInstall.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SETE791.tmp	NPFInstall.exe
File created	C:\Windows\system32\DRIVERS\SETE791.tmp	NPFInstall.exe
File opened for modification	C:\Windows\system32\DRIVERS\npcap.sys	NPFInstall.exe

Manipulates Digital Signatures 1 TTPs 8 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.execertutil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3\Blob = 03000000010000001400000060ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e32000000001000000c0060000308206bc308205a4a003020102021003f1b4e15f3a82f1149678b3d7d8475c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3132303431383132303030305a170d3237303431383132303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e672043412028534841322930820122300d06092a864886f70d01010105000382010f003082010a0282010100a753fa0fb2b513f164cf8480fcae8035d1b6d7c7a32cac1a2cacf184ac3a35123a9291ba57e4c4c9f32fa8483cb7d66edc9722ba517961af432f0db79bb44931ae44583ea4a196a7874f237ec36c652490553ea1ca237cc542e9c47a62459b7dde6374cb9e6325f8849a9aad454fae7d1fc813cb759bc9e1e18af80b0c98f4ca3ed045aa7a1ea558933634be2b2e2b315866b432109f9df052a1efe83ed376f2405adcfa6a3d1b4bad76b08c5cee36ba83ea30a84cdef10b2a584188ae0089ab03d11682202276eb5e54381262e1d27024dbed1f70d26409802de2b69dce1ff2bb21f36cdbd8b3197b8a509fefec360a5c9ab74ad308a03979fdddbf3d3a09250203010001a38203583082035430120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307f06082b0601050507010104733071302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304906082b06010505073002863d687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63727430818f0603551d1f0481873081843040a03ea03c863a687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c3040a03ea03c863a687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0302308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e301d0603551d0e041604148fe87ef06d326a000523c770976a3a90ff6bead4301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d01010b0500038201010019334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\Blob = 0300000001000000140000003ba63a6e4841355772debef9cdcf4d5af353a2972000000001000000350500003082053130820419a00302010202100aa125d6d6321b7e41e405da3697c215300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3136303130373132303030305a170d3331303130373132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd032ee4bcd8f7fdda9ba8299c539542857b6234ac40e07453351107dd0f97d4d687ee7b6a0f48db388e497bf63219098bf13bc57d3c3e17e08d66a140038f72e1e3beecca6f63259fe5f653fe09bebe34647061a557e0b277ec0a2f5a0e0de223f0eff7e95fbf3a3ba223e18ac11e4f099036d3b857c09d3ee5dc89a0b54e3a809716be0cf22100f75cf71724e0aaddf403a5cb751e1a17914c64d2423305dbcec3c606aac2f07ccfdf0ea47d988505efd666e56612729898451e682e74650fd942a2ca7e4753eba980f847f9f3114d6add5f264cb7b1e05d084197217f11706ef3dcdd64def0642fda2532a4f851dc41d3cafcfdaac10f5ddacace956ff930203010001a38201ce308201ca301d0603551d0e04160414f4b6e1201dfe29aed2e461a5b2a225b2c817356e301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f30120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070308307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c30500603551d20044930473038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c0701300d06092a864886f70d01010b05000382010100719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3\Blob = 030000000100000014000000e1d782a8e191beef6bca1691b5aab494a6249bf3200000000100000002050000308204fe308203e6a00302010202100d424ae0be3a88ff604021ce1400f0dd300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e67204341301e170d3231303130313030303030305a170d3331303130363030303030305a3048310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3120301e0603550403131744696769436572742054696d657374616d70203230323130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2e6618467c58af50d08a445ca636b51d73a1142bd0a75754d94b40c50b52610fe1dc86f916b0c96e71a5c48ef44e5bf9b61cd1591625ab8ff670b9c63fd366a81fa29f8dd2b7085de0218f3786dbc7df9c76d093dbe6a7687e98abdf8845d1e76c9e4c676763a53d1d1d35a368fc6a3e12f1b3ab761d673ec4e6d338a7c5d452d4bb150e6413a375686dc93238df75025e864e6ddd38f2f57b58720eb0e8e2cd523daf44d7846e3038331294a5c0c318a4a8c88c5f7305af914af155f6c434909fd262353f68d63e81aab5bb11d30c29b6982b4dbfc5654bc1fa187abbe7a5b0a202f4b09c995a78db2fad6638b4ea5721cee9f7a0173f819d6fe0d4984bd010203010001a38201b8308201b4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830410603551d20043a3038303606096086480186fd6c07013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053301f0603551d23041830168014f4b6e1201dfe29aed2e461a5b2a225b2c817356e301d0603551d0e041604143644868ea4bab066bebc282d1d4436dde36a7abc30710603551d1f046a30683032a030a02e862c687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c3032a030a02e862c687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c30818506082b0601050507010104793077302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304f06082b060105050730028643687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572745348413241737375726564494454696d657374616d70696e6743412e637274300d06092a864886f70d01010b05000382010100481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C0D087ECDCC76D1084ABE00F1FEE5040400AE37\Blob = 0300000001000000140000003c0d087ecdcc76d1084abe00f1fee5040400ae372000000001000000c6050000308205c2308204aaa00302010202100aa60783ebb5076ebc2d12da9b04c290300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3231303530353030303030305a170d3234303631303233353935395a3081d2311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a6ec814ee2c7075e2e29ac7ebd10b6188055929370a213b83fb6e337d82ed0756d15e267f6bc645e6db5bb1d586ef1098ead1595147d03897af04b666aa5a50def2b3af23974896c6fb4f5246baf3ec374dbfd90eeec7575ffb11a6efea7a0d7da0adb04eaf000b1ad520d9e9529b2a8cf420998d4c7a46c1f95e405e35f69ad8c05d62df0f9745017a6284134afba26f905d900da1c412200e6ca5c6b148f3f785aa0ebe35ea9160644bd6924b54625eb404ab39db981f6b216b6dd960930a1443b26aab08cdbcf1c5fd74dbb56c3e9df791f8429401dee5869e90c39f95000fc616b5ac8396b588e24407235ea074328c608112f6cb4f07347cd4d28d28ab90203010001a38201f7308201f3301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e04160414c5b210483c7598f90d32838cd0763d3cd85fef5130350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304a0603551d2004433041303606096086480186fd6c03023029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008b2182887ada0e08e4afe89019ded16e88ff6ff1b12fd9b2994b945b8c76c63862ae35a1751672c474c8575a039250105e346bb7ce7ae1f2494e760de418b9453f1bbac9255b0dccafd296adb3cdb49d46d54c3413bfc34a3e640e244da7b1e1dbd1b04cea414ff64fe57f0ef28944a42e41065548e4834f2b05d4aae8516a1f154c5b09af25fe059a69a7dc75a7deb4cf3068c402614ece0509edf02b0968b5c8d1081cdafcfba3b7c1599256e6685ef7391f46746eaf829bc8fd40f55be70a3fc51142648b78a903e750158328cb80d54aaddce82df8fe983b0e36af4dafbdbdffe8896bee9a93c370e77f735fe9c42fc2259a3e5672e9f75f37ecf7104e53	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9\Blob = 0300000001000000140000004ce89794fe2d2f7e30121f10bcf76ac3ccf77ca92000000001000000c7050000308205c3308204aba003020102021009256314069e7e6a88cb823075c0d9c9300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3230303530313030303030305a170d3231303530373132303030305a3081d231133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a88cd713346c50a5cd2a62900419f091330f9820b73b38785a8b5a25ceda8e11b71b2d11ff4b0c18cad405a2a195a6462619fa3ddf6d14466a350d1cf1c6ad48cce166fe6011a62ee62751046dd264b1cc145c4a4354537cec1ae615b6b8566a28ddf3b510fee92023dbe4190b44bb4174f94c4ec62256bd4aa5ba541ee833388db8cc411365e094ee6314eaff59ca6659bb6388300e7ffbd0f8b299889b8e3ea526f8ca926ded79eac89a6b068757ae428022e2602ec98babf5998216b0c28a709129a1300872878d9971e3130826a7d1ce894fe649a017003f07ee3c53ca0cba998fab097e573723fbd3e0ea1b742dd6d076b4c2284b93500021a7d27109630203010001a38201f8308201f4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604140a9c208099309acdddf9c9909a03890dcd30c8ea30350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010042368fc33025a2a1338cf35a08d00e263958f825e79b6d3af23e0e4e4cf59bc8502022d452cbba14a53274e3a12a5b01f4aee16abfcb1b28d63484a0ae1995c9759c6f0970254da8902fb479f5f7869a566aa285f2c28e50096dfd2e14a9ecf0000963c570d2338def108dfe66b1e44d22182826749871a7f3977eba4976910f1f0de866fc75b918c1a9f466fcf96ae90df932071b9c770f0f3193f8ca500abe52cc316549403a5ca5b5422d1ebffffc3cbe3b926de552f493b53c6570fdd0736550f080c2db204b03bc00ff724241581b5dfb0dff7b8f2cc28f136c19cca8bd4b3c3d81404e69f4598e7b5458e41c6f2e6622a212d28c2615565782a1f66987	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe

Drops file in System32 directory 42 IoCs

Processes:

npcap-1.79.exeDrvInst.exeNPFInstall.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.79.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.79.exe
File created	C:\Windows\system32\wpcap.dll	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{78d7882c-2146-1e4e-b9b4-6a1a68bdaa2c}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	NPFInstall.exe
File created	C:\Windows\system32\Packet.dll	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\Temp\{78d7882c-2146-1e4e-b9b4-6a1a68bdaa2c}\SETE494.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\WlanHelper.exe	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\Temp\{78d7882c-2146-1e4e-b9b4-6a1a68bdaa2c}\SETE4A5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{78d7882c-2146-1e4e-b9b4-6a1a68bdaa2c}\npcap.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	NPFInstall.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\NpcapHelper.exe	npcap-1.79.exe
File created	C:\Windows\system32\NpcapHelper.exe	npcap-1.79.exe
File created	C:\Windows\system32\WlanHelper.exe	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{78d7882c-2146-1e4e-b9b4-6a1a68bdaa2c}\npcap.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Packet.dll	npcap-1.79.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{78d7882c-2146-1e4e-b9b4-6a1a68bdaa2c}\SETE4A5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{78d7882c-2146-1e4e-b9b4-6a1a68bdaa2c}\NPCAP.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\NPCAP.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	NPFInstall.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{78d7882c-2146-1e4e-b9b4-6a1a68bdaa2c}\SETE493.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{78d7882c-2146-1e4e-b9b4-6a1a68bdaa2c}\SETE493.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{78d7882c-2146-1e4e-b9b4-6a1a68bdaa2c}\SETE494.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	NPFInstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

Processes:

NPFInstall.exeNPFInstall.exenpcap-1.79.exeNPFInstall.exeNPFInstall.exe

description	ioc	process
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\DiagReport.ps1	npcap-1.79.exe
File created	C:\Program Files\Npcap\FixInstall.bat	npcap-1.79.exe
File created	C:\Program Files\Npcap\npcap.inf	npcap-1.79.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\Uninstall.exe	npcap-1.79.exe
File created	C:\Program Files\Npcap\npcap_wfp.inf	npcap-1.79.exe
File created	C:\Program Files\Npcap\CheckStatus.bat	npcap-1.79.exe
File created	C:\Program Files\Npcap\npcap.sys	npcap-1.79.exe
File created	C:\Program Files\Npcap\npcap.cat	npcap-1.79.exe
File created	C:\Program Files\Npcap\DiagReport.bat	npcap-1.79.exe
File created	C:\Program Files\Npcap\NPFInstall.exe	npcap-1.79.exe
File opened for modification	C:\Program Files\Npcap\install.log	npcap-1.79.exe
File created	C:\Program Files\Npcap\LICENSE	npcap-1.79.exe

Drops file in Windows directory 6 IoCs

Processes:

NPFInstall.exesvchost.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\INF\oem3.PNF	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Executes dropped EXE 4 IoCs

Processes:

NPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exe

pid process

4496 NPFInstall.exe
3668 NPFInstall.exe
4832 NPFInstall.exe
4268 NPFInstall.exe

Loads dropped DLL 19 IoCs

Processes:

npcap-1.79.exe

pid	process
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe
4264	npcap-1.79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 38 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DrvInst.exeNPFInstall.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

NPFInstall.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4496	NPFInstall.exe
4496	NPFInstall.exe
2396	powershell.exe
2396	powershell.exe
1124	powershell.exe
1124	powershell.exe
3640	powershell.exe
3640	powershell.exe
2588	powershell.exe
2588	powershell.exe
2588	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
2540	powershell.exe
2540	powershell.exe
2540	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

NPFInstall.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4496	NPFInstall.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeAuditPrivilege	428	svchost.exe
Token: SeSecurityPrivilege	428	svchost.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeIncreaseQuotaPrivilege	2540	powershell.exe
Token: SeSecurityPrivilege	2540	powershell.exe
Token: SeTakeOwnershipPrivilege	2540	powershell.exe
Token: SeLoadDriverPrivilege	2540	powershell.exe
Token: SeSystemProfilePrivilege	2540	powershell.exe
Token: SeSystemtimePrivilege	2540	powershell.exe
Token: SeProfSingleProcessPrivilege	2540	powershell.exe
Token: SeIncBasePriorityPrivilege	2540	powershell.exe
Token: SeCreatePagefilePrivilege	2540	powershell.exe
Token: SeBackupPrivilege	2540	powershell.exe
Token: SeRestorePrivilege	2540	powershell.exe
Token: SeShutdownPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeSystemEnvironmentPrivilege	2540	powershell.exe
Token: SeRemoteShutdownPrivilege	2540	powershell.exe
Token: SeUndockPrivilege	2540	powershell.exe
Token: SeManageVolumePrivilege	2540	powershell.exe
Token: 33	2540	powershell.exe
Token: 34	2540	powershell.exe
Token: 35	2540	powershell.exe
Token: 36	2540	powershell.exe
Token: SeIncreaseQuotaPrivilege	2540	powershell.exe
Token: SeSecurityPrivilege	2540	powershell.exe
Token: SeTakeOwnershipPrivilege	2540	powershell.exe
Token: SeLoadDriverPrivilege	2540	powershell.exe
Token: SeSystemProfilePrivilege	2540	powershell.exe
Token: SeSystemtimePrivilege	2540	powershell.exe
Token: SeProfSingleProcessPrivilege	2540	powershell.exe
Token: SeIncBasePriorityPrivilege	2540	powershell.exe
Token: SeCreatePagefilePrivilege	2540	powershell.exe
Token: SeBackupPrivilege	2540	powershell.exe
Token: SeRestorePrivilege	2540	powershell.exe
Token: SeShutdownPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeSystemEnvironmentPrivilege	2540	powershell.exe
Token: SeRemoteShutdownPrivilege	2540	powershell.exe
Token: SeUndockPrivilege	2540	powershell.exe
Token: SeManageVolumePrivilege	2540	powershell.exe
Token: 33	2540	powershell.exe
Token: 34	2540	powershell.exe
Token: 35	2540	powershell.exe
Token: 36	2540	powershell.exe
Token: SeIncreaseQuotaPrivilege	2540	powershell.exe
Token: SeSecurityPrivilege	2540	powershell.exe
Token: SeTakeOwnershipPrivilege	2540	powershell.exe
Token: SeLoadDriverPrivilege	2540	powershell.exe
Token: SeSystemProfilePrivilege	2540	powershell.exe
Token: SeSystemtimePrivilege	2540	powershell.exe
Token: SeProfSingleProcessPrivilege	2540	powershell.exe
Token: SeIncBasePriorityPrivilege	2540	powershell.exe
Token: SeCreatePagefilePrivilege	2540	powershell.exe
Token: SeBackupPrivilege	2540	powershell.exe
Token: SeRestorePrivilege	2540	powershell.exe
Token: SeShutdownPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

npcap-1.79.exepowershell.exepowershell.exeNPFInstall.exesvchost.exe

description	pid	process	target process
PID 4264 wrote to memory of 4496	4264	npcap-1.79.exe	NPFInstall.exe
PID 4264 wrote to memory of 4496	4264	npcap-1.79.exe	NPFInstall.exe
PID 4264 wrote to memory of 2396	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 2396	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 2396	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 1124	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 1124	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 1124	4264	npcap-1.79.exe	powershell.exe
PID 1124 wrote to memory of 2956	1124	powershell.exe	certutil.exe
PID 1124 wrote to memory of 2956	1124	powershell.exe	certutil.exe
PID 1124 wrote to memory of 2956	1124	powershell.exe	certutil.exe
PID 4264 wrote to memory of 1828	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 1828	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 1828	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 4024	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 4024	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 4024	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 3640	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 3640	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 3640	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 2588	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 2588	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 2588	4264	npcap-1.79.exe	powershell.exe
PID 2588 wrote to memory of 5008	2588	powershell.exe	certutil.exe
PID 2588 wrote to memory of 5008	2588	powershell.exe	certutil.exe
PID 2588 wrote to memory of 5008	2588	powershell.exe	certutil.exe
PID 4264 wrote to memory of 4472	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 4472	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 4472	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 1396	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 1396	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 1396	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 1872	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 1872	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 1872	4264	npcap-1.79.exe	certutil.exe
PID 4264 wrote to memory of 3668	4264	npcap-1.79.exe	NPFInstall.exe
PID 4264 wrote to memory of 3668	4264	npcap-1.79.exe	NPFInstall.exe
PID 3668 wrote to memory of 4240	3668	NPFInstall.exe	pnputil.exe
PID 3668 wrote to memory of 4240	3668	NPFInstall.exe	pnputil.exe
PID 4264 wrote to memory of 4832	4264	npcap-1.79.exe	NPFInstall.exe
PID 4264 wrote to memory of 4832	4264	npcap-1.79.exe	NPFInstall.exe
PID 4264 wrote to memory of 4268	4264	npcap-1.79.exe	NPFInstall.exe
PID 4264 wrote to memory of 4268	4264	npcap-1.79.exe	NPFInstall.exe
PID 428 wrote to memory of 4104	428	svchost.exe	DrvInst.exe
PID 428 wrote to memory of 4104	428	svchost.exe	DrvInst.exe
PID 4264 wrote to memory of 2604	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 2604	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 2604	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 2540	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 2540	4264	npcap-1.79.exe	powershell.exe
PID 4264 wrote to memory of 2540	4264	npcap-1.79.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\A Installer\npcap-1.79.exe
"C:\Users\Admin\AppData\Local\Temp\A Installer\npcap-1.79.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4264

C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\NPFInstall.exe
"C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\NPFInstall.exe" -n -check_dll
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43){certutil.exe -verifystore 'Root' '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43}}"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\system32\certutil.exe" -verifystore Root 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
3⤵
- Manipulates Digital Signatures
PID:2956

C:\Windows\SysWOW64\certutil.exe
certutil.exe -verifystore "Root" "0563b8630d62d75abbc8ab1e4bdfb5a899b24d43"
2⤵
PID:1828

C:\Windows\SysWOW64\certutil.exe
certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst"
2⤵
PID:4024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25){certutil.exe -verifystore 'Root' '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25}}"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\system32\certutil.exe" -verifystore Root 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
3⤵
PID:5008

C:\Windows\SysWOW64\certutil.exe
certutil.exe -verifystore "Root" "5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25"
2⤵
PID:4472

C:\Windows\SysWOW64\certutil.exe
certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst"
2⤵
PID:1396

C:\Windows\SysWOW64\certutil.exe
certutil.exe -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\signing.p7b"
2⤵
- Manipulates Digital Signatures
PID:1872

C:\Program Files\Npcap\NPFInstall.exe
"C:\Program Files\Npcap\NPFInstall.exe" -n -c
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SYSTEM32\pnputil.exe
pnputil.exe -e
3⤵
PID:4240

C:\Program Files\Npcap\NPFInstall.exe
"C:\Program Files\Npcap\NPFInstall.exe" -n -iw
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4832

C:\Program Files\Npcap\NPFInstall.exe
"C:\Program Files\Npcap\NPFInstall.exe" -n -i
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2d56eea6-6e72-744a-b8b9-da3ab1a75c78}\NPCAP.inf" "9" "405306be3" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Npcap"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Npcap\npcap.cat
Filesize
12KB

MD5
851cc374a87e0a83956a29c762c008c5

SHA1
1f1c907e687631c551caaaffb0de28dfcfb03c01

SHA256
f05d0dfba14aceb7cb27b49ec8c4f1ce179813e0cf89a32855d7ea2fda91e124

SHA512
260c822dbb2fd53cec2ad352e97a42a665fc030de9cf0b223fed3a945822ccbd7e0e12fa0873646aaf38f5f7b93428f29c0bed3709fbaaa83a3dab6dc39a2dc7

Download Submit
C:\PROGRA~1\Npcap\npcap.sys
Filesize
68KB

MD5
1637086aa0ba4637d2788dc20a0cc67c

SHA1
4628fe7561526714361764ec637339b21ea88b60

SHA256
734c62543768e37c36386b4a07582bb5b322a60d5c997626465725c5b5cef978

SHA512
92fb3dd73873ef8a888823f14911f52fe7c11a06bf4172929783a3f3106ea6298d660389cfca902153424b8df64fbe9dc9c5651228d5eb72a650655df21f7cdc

Download Submit
C:\Program Files\Npcap\NPCAP.inf
Filesize
8KB

MD5
ed7304fce3f5e3de28435d3f9e8b4156

SHA1
45bc86c10386c9368ac482f341999a289dd46897

SHA256
64be5edac3eba224120138c6dea3e4a75740e23324fba5a0799499402d96a258

SHA512
d7532a12b726869e430745da536b7e1e85ce5871bbf3c3cf5fb4261f5b3d5d4307e6267a8b5f53a6719369e261c66c85c05f3941974594ae4864b16242cae41b

Download Submit
C:\Program Files\Npcap\NPCAP_wfp.inf
Filesize
2KB

MD5
8ca4504e8e9b66d925107a8f13d9babb

SHA1
a1d34e2a6e9ce395da0702a9b1e1ec815dc144f0

SHA256
d1b2726787010252e4dec2a1a47fdd42d86b917c9c41f8baab2219de938b90cb

SHA512
4c3fe98134c6e7c180829f82374b22ab052e1cadd2d2ff71ff6eefa4e2a7ff21b8bff14ff21677099d2656a0c216c40abb9246860e70be9f254d73d58b624c38

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
393B

MD5
316c66618f0eba797c889cf9e4966400

SHA1
867a1f3bf8d198950a22d69d850337d49be6b3c3

SHA256
9d04517293719e9f51286e9c4829c9197f1db10fc773b8396c03f7292603875b

SHA512
ebb2b38b58f05a63c10dce54aa02047be604b09b1c1148185fa7d19e75acc02b3cbc1e2b4ae5fd70cc4e8311f7ddcdf748e0881ce33e74608310665ca0b1622f

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
1KB

MD5
c052b21466041ed14a1cd2cdf93e90cf

SHA1
0d467d9af9ef615796ed82b7af7a574c0e3d5b2a

SHA256
cf450118e170c6e1f05e7d01e53048e53107f09cfa0b1716d3f0a29daf62a315

SHA512
3c0b4a7aeea966012949aa97b6fc356e51f4cb70d7287f06539350484772058c3585500115385ec6206578056a62e7990ff946e0829ed77c43e6d1a4ba16e6d6

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
2KB

MD5
8f6c8077875a8fdcc7fe5e45a52ef7d1

SHA1
9809f3b54dad233079c252307234031d393554b3

SHA256
d883a1e4b8297e28e961afd9c21ef7bfe621c79f21f7978c0b7664c5cee686b0

SHA512
4e5d5accf853ed5f17ad7a83892bea2eb6ee5a346c7c77152882a86954df9501af7c38acd3b138f73ba6d1abbd48215e309e55b532166e3f087d9c3caa0446ba

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
2KB

MD5
730933c33c02fbb7b7d43b5c3cc4fdb7

SHA1
5aeaf381e0f10e99724725f7e3809bf44f5cf89c

SHA256
7f217b793aeefd314511ca8feb2a31b39c4b5451ac3c418765b67630faf151d7

SHA512
c8cf8afbffe95178f85e454e0bcd149238fc4027dcee11c3c9cfbeb265bb562c960c0f623a2a691c904f589fc2117dd22898cec0e01c44fc4b5f4bad8a886de7

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
3KB

MD5
66987f4b03028607635312f377aaa11f

SHA1
657aeb4723f55279aa36b1700bdf994ebba5c1fe

SHA256
46747223ae52f86c32cb49d98a805e34acc7cc53ec8ca69d1bd69e6f24207d99

SHA512
862b9aae5ac8de2449c336c68f87bc32851213de60c7b641c2657ef05e4bb75bbf09047c150774fa3826182c6fca60466afc8959c4378641c3c1fb021353ed11

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
3KB

MD5
1bf378e1eefa99c5eeae1f31ee526c1a

SHA1
0968d79a34779e5150066b94335a0437b54df276

SHA256
3b7c5358ae9f03c8abdb018b4589fb3ab72c5e50de05233940e6ded018b49f60

SHA512
ac677733b839d190de6a7e95ca80ba425d57218741f7c10200a4de984ec9f3b94755b250316960392832ecd0defba8c00a8d470da3f117c5bc36cc72dc504194

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
4KB

MD5
ad2da239aeb17e5858dfd6bb089d607e

SHA1
d65389d6183ea8166662021f85e824257c0b8b7a

SHA256
628b9101de6b79289aa560c7b48e981c6ece056af23d4e459e13613b6d69cf48

SHA512
00c1cd72f20edb9052681e3bbe42fde76a2ff6465ebe655e9066d5bce939db71a0571c8706c6a2940cd2bd5636b2d0ab465141c6f0c8d3a793fe6d8e14d77086

Download Submit
C:\Program Files\Npcap\NPFInstall.log
Filesize
4KB

MD5
932ce12a296a2205ac6a38fe827cd06d

SHA1
f270e4acc0d87c1c2787a639d5deab714e96fc5b

SHA256
bebf395bff366a689670dd939f4dfb12a2ccd4c62556940d0f91969e335d3002

SHA512
d7769e3b4852dd00a87c0c7a844961f3e034720779f907f6341b9cb71e63afd97550a0d3a7223a5e5f8ba3f86a3bbff03bf646dd9e7f4280d9a90361d18887fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
eba5b43a7aac70a6724def24e5977bb5

SHA1
38cff0f7ee22df48cd0b58b26bbd6da14d9fb659

SHA256
5749917489dafe66fdf61a837d69c3f63a87c83b6a050c12be9699191061ff15

SHA512
150b17ecc07decc5311d142db3fbaace8a0d8028de152deb5c477077414764bb40b0273f4689f859290fd804a6f6bd8500c9873b2d147da9101149f7d3ac13a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
b2a0aab8904125eb34add3eb612f5379

SHA1
1b1d656024c6efbc1123ae256f89090e80f76783

SHA256
61301f883133d68aa1b0b5b8eb24c59481b69036fb3adcc46c5f8b5c8b8723cc

SHA512
fb91a83ba4b9e9971f9a95a2dc239d3c4f4da80e8253343856312fe2ed1b20c77d95492189694036c031f10dac6a15cf222143297fd1b7f603f57254009a09d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
61a1e81f3a91de3ae197fe3bdc7a4ce4

SHA1
c316282a4f11462db348d22c9b0dfeb60b1bc0c9

SHA256
8d8bcf2f3b7c6f6865cf102e4172978bc2e8cb9858f2dfbfccf19dabce47730b

SHA512
b83de9062d43738ca8a2b243c6906626d6f024713e9509ca6f0a66874a80e2829615b225fd6316ccaff28fb3122b7a879943ffe02f29bb9ce87b5daad007b835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
42aeacde92f4b1ba45a8290142df6285

SHA1
57a564343a820a7437537a5fd6699d9648f9aafd

SHA256
8d89a7d7d257d5db44eaaf38bb86b097ba1532ee525a49763e957183f336b135

SHA512
4a178268d6318168f0d09d188244e4c8e1e326ce5d1947e031cd0ededf5178fd62c4fa8404554df09775188822ec801912ebb70159ac947e2c2b82c57d29ac2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
c7ddcda19ac2841087985ae4c21d484f

SHA1
e2d26c8f6313c9ad5ea2d1141415c171900e7576

SHA256
3685220e2654bea143754de1610f551d68861c23055b7cd3ff9af906b3e5b241

SHA512
26de754a79580936f1be04c8f73af67ac83327539197224383bc760a8668735962fafe08492061061e7ddb5ddde1cf7f9b0c0ebefbb59ce1802993ed4628face

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
8552bba736057a86a1e30b4e0d5e9157

SHA1
fa0076d83cabab571e14fb32c38479da7801028e

SHA256
ae38c817f0a39a8a08b1507c7c94cbbc9e761a17b7fd5e8d6523caa3e0c4ba3b

SHA512
d9b869580ab5304b02d4cbe96c842889e31e16ef201e96a429cf90658a262ec98d2a5e9128b65fddb54730d50e6c4cfef4e4e1ced2b586e6dcd3aba562b2c2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpmobay3.0s3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst
Filesize
1KB

MD5
de825a838e33ccf3d06b82de337c06d8

SHA1
68956e777f646361eae3f06ce6899cd48bb9f593

SHA256
3b63b09dff7e4c5fe7ccafff74d9f845d1eb04809b0b77a536b2e4aa7dd1097e

SHA512
e935ef759abfcafa4d9cf70a1c5508179600fc85d237e53d3e7f2683fa2e14859e5eee167007328995606996a19f4fcc0c1f9a851011a6fa8db6b53c68160a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst
Filesize
1KB

MD5
a52f3195b5585e1d9a9b38fef66a1801

SHA1
986a5f05ff51d261fe595f0ab56598658aadc9c9

SHA256
40795f603b2eab75fbd886715b0103f2f362494576400ae88925ed1ba7063bdc

SHA512
e9eeb34c3667e56c425b91890f463b5d80e4e5e9f485c2bd3ac064e1784ad118c1460af461e5af8acbbb3bc02432e4f914e54e41d2bdaeaa8af528f0e669b64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\InstallOptions.dll
Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\NPFInstall.exe
Filesize
300KB

MD5
c01beb6c3526554ec9dfad40502317f2

SHA1
89f468496bd7e6d993a032f918c5baabb21c11be

SHA256
5d54a5e7230baf2b80689ee49d263612a6011bc46ec52843e7b4297e9656d32d

SHA512
a7fdb3d69cc2b12c9795c8f5e34f64014273e471dc0639ff4693f18e3d5ea758f38f58a5dfc4d1800511ce3e130a7454fd371579e31dbba049770fb74b889339

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\System.dll
Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\nsExec.dll
Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\options.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\options.ini
Filesize
2KB

MD5
924e8d57fd505728e9e4c11497169946

SHA1
ddbb7c9ca35cc7de3dddaf309a7c7e51df2f6503

SHA256
43020343ded3f552e0e1344cefc88056be15a9c153c526c48a37de85fb501dd6

SHA512
1206758ccaaa88909d76db686dd41bc0f61377d419e23b6c7f9fbe87c2484e0da679556f9e766e7dd13a2c1355b697d1b837b7c65f9ca8cb96215b3d959d6d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss4D28.tmp\signing.p7b
Filesize
7KB

MD5
dd4bc901ef817319791337fb345932e8

SHA1
f8a3454a09d90a09273935020c1418fdb7b7eb7c

SHA256
8e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71

SHA512
0a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5

Download Submit
memory/1124-278-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/2396-247-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2396-262-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/2396-270-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2396-269-0x0000000007730000-0x000000000776E000-memory.dmp

Filesize
248KB

Download
memory/2396-244-0x000000007352E000-0x000000007352F000-memory.dmp

Filesize
4KB

Download
memory/2396-268-0x0000000008770000-0x0000000008DEA000-memory.dmp

Filesize
6.5MB

Download
memory/2396-267-0x0000000007B40000-0x00000000080E4000-memory.dmp

Filesize
5.6MB

Download
memory/2396-265-0x00000000069E0000-0x00000000069FA000-memory.dmp

Filesize
104KB

Download
memory/2396-266-0x0000000006A60000-0x0000000006A82000-memory.dmp

Filesize
136KB

Download
memory/2396-264-0x00000000074F0000-0x0000000007586000-memory.dmp

Filesize
600KB

Download
memory/2396-263-0x0000000006540000-0x000000000658C000-memory.dmp

Filesize
304KB

Download
memory/2396-273-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2396-261-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/2396-256-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/2396-250-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/2396-249-0x0000000005660000-0x0000000005682000-memory.dmp

Filesize
136KB

Download
memory/2396-248-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2396-246-0x0000000005870000-0x0000000005E98000-memory.dmp

Filesize
6.2MB

Download
memory/2396-245-0x0000000002F20000-0x0000000002F56000-memory.dmp

Filesize
216KB

Download
memory/2540-569-0x0000000006F40000-0x0000000006F72000-memory.dmp

Filesize
200KB

Download
memory/2604-552-0x0000000006010000-0x0000000006364000-memory.dmp

Filesize
3.3MB

Download
memory/3640-310-0x0000000005430000-0x0000000005784000-memory.dmp

Filesize
3.3MB

Download