b0efd269d32e581da747e5050ef98d2eb91e6de9080e0918f5af85b485a4bdd1

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

npcap-1.72.exe
Size

1.1MB
MD5

cab256acf99dc6e0685c0567ea6ee658
SHA1

08aefa7d9a941ffe7d5c29d6b65d115109b5e2b7
SHA256

b0efd269d32e581da747e5050ef98d2eb91e6de9080e0918f5af85b485a4bdd1
SHA512

7f2147cd7d2e0e044e4e46c26df015decc4ae4c51d8500e91f1155cfe91e58c38d5f9a10710e6c70ba7ab590a4828e344ac32f28ecefaf9557429caac626af9b
SSDEEP

24576:uZHcNHqqSX6AQzHlPnK7N1F7nJRFoK7EjvEYwa2MVZcXxZzHN9zqn4:aTUHlPK7rFj3qK7a2MV43O

Score

8^/10

discovery

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 5 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9\Blob = 0300000001000000140000004ce89794fe2d2f7e30121f10bcf76ac3ccf77ca92000000001000000c7050000308205c3308204aba003020102021009256314069e7e6a88cb823075c0d9c9300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3230303530313030303030305a170d3231303530373132303030305a3081d231133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a88cd713346c50a5cd2a62900419f091330f9820b73b38785a8b5a25ceda8e11b71b2d11ff4b0c18cad405a2a195a6462619fa3ddf6d14466a350d1cf1c6ad48cce166fe6011a62ee62751046dd264b1cc145c4a4354537cec1ae615b6b8566a28ddf3b510fee92023dbe4190b44bb4174f94c4ec62256bd4aa5ba541ee833388db8cc411365e094ee6314eaff59ca6659bb6388300e7ffbd0f8b299889b8e3ea526f8ca926ded79eac89a6b068757ae428022e2602ec98babf5998216b0c28a709129a1300872878d9971e3130826a7d1ce894fe649a017003f07ee3c53ca0cba998fab097e573723fbd3e0ea1b742dd6d076b4c2284b93500021a7d27109630203010001a38201f8308201f4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604140a9c208099309acdddf9c9909a03890dcd30c8ea30350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010042368fc33025a2a1338cf35a08d00e263958f825e79b6d3af23e0e4e4cf59bc8502022d452cbba14a53274e3a12a5b01f4aee16abfcb1b28d63484a0ae1995c9759c6f0970254da8902fb479f5f7869a566aa285f2c28e50096dfd2e14a9ecf0000963c570d2338def108dfe66b1e44d22182826749871a7f3977eba4976910f1f0de866fc75b918c1a9f466fcf96ae90df932071b9c770f0f3193f8ca500abe52cc316549403a5ca5b5422d1ebffffc3cbe3b926de552f493b53c6570fdd0736550f080c2db204b03bc00ff724241581b5dfb0dff7b8f2cc28f136c19cca8bd4b3c3d81404e69f4598e7b5458e41c6f2e6622a212d28c2615565782a1f66987	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3\Blob = 03000000010000001400000060ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e32000000001000000c0060000308206bc308205a4a003020102021003f1b4e15f3a82f1149678b3d7d8475c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3132303431383132303030305a170d3237303431383132303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e672043412028534841322930820122300d06092a864886f70d01010105000382010f003082010a0282010100a753fa0fb2b513f164cf8480fcae8035d1b6d7c7a32cac1a2cacf184ac3a35123a9291ba57e4c4c9f32fa8483cb7d66edc9722ba517961af432f0db79bb44931ae44583ea4a196a7874f237ec36c652490553ea1ca237cc542e9c47a62459b7dde6374cb9e6325f8849a9aad454fae7d1fc813cb759bc9e1e18af80b0c98f4ca3ed045aa7a1ea558933634be2b2e2b315866b432109f9df052a1efe83ed376f2405adcfa6a3d1b4bad76b08c5cee36ba83ea30a84cdef10b2a584188ae0089ab03d11682202276eb5e54381262e1d27024dbed1f70d26409802de2b69dce1ff2bb21f36cdbd8b3197b8a509fefec360a5c9ab74ad308a03979fdddbf3d3a09250203010001a38203583082035430120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307f06082b0601050507010104733071302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304906082b06010505073002863d687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63727430818f0603551d1f0481873081843040a03ea03c863a687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c3040a03ea03c863a687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0302308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e301d0603551d0e041604148fe87ef06d326a000523c770976a3a90ff6bead4301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d01010b0500038201010019334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\Blob = 0300000001000000140000003ba63a6e4841355772debef9cdcf4d5af353a2972000000001000000350500003082053130820419a00302010202100aa125d6d6321b7e41e405da3697c215300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3136303130373132303030305a170d3331303130373132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd032ee4bcd8f7fdda9ba8299c539542857b6234ac40e07453351107dd0f97d4d687ee7b6a0f48db388e497bf63219098bf13bc57d3c3e17e08d66a140038f72e1e3beecca6f63259fe5f653fe09bebe34647061a557e0b277ec0a2f5a0e0de223f0eff7e95fbf3a3ba223e18ac11e4f099036d3b857c09d3ee5dc89a0b54e3a809716be0cf22100f75cf71724e0aaddf403a5cb751e1a17914c64d2423305dbcec3c606aac2f07ccfdf0ea47d988505efd666e56612729898451e682e74650fd942a2ca7e4753eba980f847f9f3114d6add5f264cb7b1e05d084197217f11706ef3dcdd64def0642fda2532a4f851dc41d3cafcfdaac10f5ddacace956ff930203010001a38201ce308201ca301d0603551d0e04160414f4b6e1201dfe29aed2e461a5b2a225b2c817356e301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f30120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070308307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c30500603551d20044930473038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c0701300d06092a864886f70d01010b05000382010100719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3\Blob = 030000000100000014000000e1d782a8e191beef6bca1691b5aab494a6249bf3200000000100000002050000308204fe308203e6a00302010202100d424ae0be3a88ff604021ce1400f0dd300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e67204341301e170d3231303130313030303030305a170d3331303130363030303030305a3048310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3120301e0603550403131744696769436572742054696d657374616d70203230323130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2e6618467c58af50d08a445ca636b51d73a1142bd0a75754d94b40c50b52610fe1dc86f916b0c96e71a5c48ef44e5bf9b61cd1591625ab8ff670b9c63fd366a81fa29f8dd2b7085de0218f3786dbc7df9c76d093dbe6a7687e98abdf8845d1e76c9e4c676763a53d1d1d35a368fc6a3e12f1b3ab761d673ec4e6d338a7c5d452d4bb150e6413a375686dc93238df75025e864e6ddd38f2f57b58720eb0e8e2cd523daf44d7846e3038331294a5c0c318a4a8c88c5f7305af914af155f6c434909fd262353f68d63e81aab5bb11d30c29b6982b4dbfc5654bc1fa187abbe7a5b0a202f4b09c995a78db2fad6638b4ea5721cee9f7a0173f819d6fe0d4984bd010203010001a38201b8308201b4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830410603551d20043a3038303606096086480186fd6c07013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053301f0603551d23041830168014f4b6e1201dfe29aed2e461a5b2a225b2c817356e301d0603551d0e041604143644868ea4bab066bebc282d1d4436dde36a7abc30710603551d1f046a30683032a030a02e862c687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c3032a030a02e862c687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c30818506082b0601050507010104793077302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304f06082b060105050730028643687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572745348413241737375726564494454696d657374616d70696e6743412e637274300d06092a864886f70d01010b05000382010100481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C0D087ECDCC76D1084ABE00F1FEE5040400AE37\Blob = 0300000001000000140000003c0d087ecdcc76d1084abe00f1fee5040400ae372000000001000000c6050000308205c2308204aaa00302010202100aa60783ebb5076ebc2d12da9b04c290300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3231303530353030303030305a170d3234303631303233353935395a3081d2311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a6ec814ee2c7075e2e29ac7ebd10b6188055929370a213b83fb6e337d82ed0756d15e267f6bc645e6db5bb1d586ef1098ead1595147d03897af04b666aa5a50def2b3af23974896c6fb4f5246baf3ec374dbfd90eeec7575ffb11a6efea7a0d7da0adb04eaf000b1ad520d9e9529b2a8cf420998d4c7a46c1f95e405e35f69ad8c05d62df0f9745017a6284134afba26f905d900da1c412200e6ca5c6b148f3f785aa0ebe35ea9160644bd6924b54625eb404ab39db981f6b216b6dd960930a1443b26aab08cdbcf1c5fd74dbb56c3e9df791f8429401dee5869e90c39f95000fc616b5ac8396b588e24407235ea074328c608112f6cb4f07347cd4d28d28ab90203010001a38201f7308201f3301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e04160414c5b210483c7598f90d32838cd0763d3cd85fef5130350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304a0603551d2004433041303606096086480186fd6c03023029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008b2182887ada0e08e4afe89019ded16e88ff6ff1b12fd9b2994b945b8c76c63862ae35a1751672c474c8575a039250105e346bb7ce7ae1f2494e760de418b9453f1bbac9255b0dccafd296adb3cdb49d46d54c3413bfc34a3e640e244da7b1e1dbd1b04cea414ff64fe57f0ef28944a42e41065548e4834f2b05d4aae8516a1f154c5b09af25fe059a69a7dc75a7deb4cf3068c402614ece0509edf02b0968b5c8d1081cdafcfba3b7c1599256e6685ef7391f46746eaf829bc8fd40f55be70a3fc51142648b78a903e750158328cb80d54aaddce82df8fe983b0e36af4dafbdbdffe8896bee9a93c370e77f735fe9c42fc2259a3e5672e9f75f37ecf7104e53	certutil.exe

Drops file in System32 directory 25 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wpcap.dll	npcap-1.72.exe
File created	C:\Windows\system32\Packet.dll	npcap-1.72.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.72.exe
File created	C:\Windows\SysWOW64\WlanHelper.exe	npcap-1.72.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.72.exe
File created	C:\Windows\system32\NpcapHelper.exe	npcap-1.72.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{196e59b8-eb61-1e32-dc89-ce74e7985e17}\NPCAP.inf	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.72.exe
File created	C:\Windows\system32\wpcap.dll	npcap-1.72.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.72.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.72.exe
File created	C:\Windows\System32\DriverStore\Temp\{196e59b8-eb61-1e32-dc89-ce74e7985e17}\SET5D01.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\Packet.dll	npcap-1.72.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.72.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{196e59b8-eb61-1e32-dc89-ce74e7985e17}\SET5CEF.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{196e59b8-eb61-1e32-dc89-ce74e7985e17}\SET5CEF.tmp	DrvInst.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.72.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{196e59b8-eb61-1e32-dc89-ce74e7985e17}\SET5D01.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.72.exe
File created	C:\Windows\system32\WlanHelper.exe	npcap-1.72.exe
File created	C:\Windows\SysWOW64\NpcapHelper.exe	npcap-1.72.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{196e59b8-eb61-1e32-dc89-ce74e7985e17}\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{196e59b8-eb61-1e32-dc89-ce74e7985e17}\SET5D00.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{196e59b8-eb61-1e32-dc89-ce74e7985e17}\SET5D00.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{196e59b8-eb61-1e32-dc89-ce74e7985e17}\npcap.sys	DrvInst.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File opened for modification	C:\Program Files\Npcap\install.log	npcap-1.72.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\DiagReport.bat	npcap-1.72.exe
File created	C:\Program Files\Npcap\npcap_wfp.inf	npcap-1.72.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\DiagReport.ps1	npcap-1.72.exe
File created	C:\Program Files\Npcap\FixInstall.bat	npcap-1.72.exe
File created	C:\Program Files\Npcap\Uninstall.exe	npcap-1.72.exe
File created	C:\Program Files\Npcap\NPFInstall.exe	npcap-1.72.exe
File created	C:\Program Files\Npcap\npcap.sys	npcap-1.72.exe
File created	C:\Program Files\Npcap\npcap.inf	npcap-1.72.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\LICENSE	npcap-1.72.exe
File created	C:\Program Files\Npcap\npcap.cat	npcap-1.72.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\INF\oem1.PNF	pnputil.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem0.PNF	pnputil.exe

Executes dropped EXE 4 IoCs

pid	Process
836	NPFInstall.exe
2224	NPFInstall.exe
2212	NPFInstall.exe
2620	NPFInstall.exe

Loads dropped DLL 17 IoCs

pid	Process
1624	npcap-1.72.exe
1624	npcap-1.72.exe
1624	npcap-1.72.exe
1624	npcap-1.72.exe
1624	npcap-1.72.exe
1624	npcap-1.72.exe
1624	npcap-1.72.exe
3060	Process not Found
1624	npcap-1.72.exe
1624	npcap-1.72.exe
1624	npcap-1.72.exe
1624	npcap-1.72.exe
2460	Process not Found
1624	npcap-1.72.exe
924	Process not Found
1624	npcap-1.72.exe
2444	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npcap-1.72.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
836	NPFInstall.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1624	npcap-1.72.exe
2500	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: SeDebugPrivilege	836	NPFInstall.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2908	pnputil.exe
Token: SeRestorePrivilege	2212	NPFInstall.exe
Token: SeRestorePrivilege	2212	NPFInstall.exe
Token: SeRestorePrivilege	2212	NPFInstall.exe
Token: SeRestorePrivilege	2212	NPFInstall.exe
Token: SeRestorePrivilege	2212	NPFInstall.exe
Token: SeRestorePrivilege	2212	NPFInstall.exe
Token: SeRestorePrivilege	2212	NPFInstall.exe
Token: SeRestorePrivilege	2620	NPFInstall.exe
Token: SeRestorePrivilege	2620	NPFInstall.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2356	1624	npcap-1.72.exe	30
PID 1624 wrote to memory of 2356	1624	npcap-1.72.exe	30
PID 1624 wrote to memory of 2356	1624	npcap-1.72.exe	30
PID 1624 wrote to memory of 2356	1624	npcap-1.72.exe	30
PID 2356 wrote to memory of 2788	2356	cmd.exe	32
PID 2356 wrote to memory of 2788	2356	cmd.exe	32
PID 2356 wrote to memory of 2788	2356	cmd.exe	32
PID 2356 wrote to memory of 2788	2356	cmd.exe	32
PID 2356 wrote to memory of 2732	2356	cmd.exe	33
PID 2356 wrote to memory of 2732	2356	cmd.exe	33
PID 2356 wrote to memory of 2732	2356	cmd.exe	33
PID 2356 wrote to memory of 2732	2356	cmd.exe	33
PID 1624 wrote to memory of 836	1624	npcap-1.72.exe	35
PID 1624 wrote to memory of 836	1624	npcap-1.72.exe	35
PID 1624 wrote to memory of 836	1624	npcap-1.72.exe	35
PID 1624 wrote to memory of 836	1624	npcap-1.72.exe	35
PID 1624 wrote to memory of 872	1624	npcap-1.72.exe	37
PID 1624 wrote to memory of 872	1624	npcap-1.72.exe	37
PID 1624 wrote to memory of 872	1624	npcap-1.72.exe	37
PID 1624 wrote to memory of 872	1624	npcap-1.72.exe	37
PID 1624 wrote to memory of 1492	1624	npcap-1.72.exe	39
PID 1624 wrote to memory of 1492	1624	npcap-1.72.exe	39
PID 1624 wrote to memory of 1492	1624	npcap-1.72.exe	39
PID 1624 wrote to memory of 1492	1624	npcap-1.72.exe	39
PID 1624 wrote to memory of 2224	1624	npcap-1.72.exe	41
PID 1624 wrote to memory of 2224	1624	npcap-1.72.exe	41
PID 1624 wrote to memory of 2224	1624	npcap-1.72.exe	41
PID 1624 wrote to memory of 2224	1624	npcap-1.72.exe	41
PID 2224 wrote to memory of 2908	2224	NPFInstall.exe	43
PID 2224 wrote to memory of 2908	2224	NPFInstall.exe	43
PID 2224 wrote to memory of 2908	2224	NPFInstall.exe	43
PID 1624 wrote to memory of 2212	1624	npcap-1.72.exe	45
PID 1624 wrote to memory of 2212	1624	npcap-1.72.exe	45
PID 1624 wrote to memory of 2212	1624	npcap-1.72.exe	45
PID 1624 wrote to memory of 2212	1624	npcap-1.72.exe	45
PID 1624 wrote to memory of 2620	1624	npcap-1.72.exe	47
PID 1624 wrote to memory of 2620	1624	npcap-1.72.exe	47
PID 1624 wrote to memory of 2620	1624	npcap-1.72.exe	47
PID 1624 wrote to memory of 2620	1624	npcap-1.72.exe	47
PID 2576 wrote to memory of 2500	2576	DrvInst.exe	50
PID 2576 wrote to memory of 2500	2576	DrvInst.exe	50
PID 2576 wrote to memory of 2500	2576	DrvInst.exe	50

C:\Users\Admin\AppData\Local\Temp\npcap-1.72.exe
"C:\Users\Admin\AppData\Local\Temp\npcap-1.72.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /Q /C "%SYSTEMROOT%\System32\wbem\wmic.exe qfe get hotfixid | %SYSTEMROOT%\System32\findstr.exe "^KB4474419""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\wbem\WMIC.exe
    C:\Windows\System32\wbem\wmic.exe qfe get hotfixid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\SysWOW64\findstr.exe
    C:\Windows\System32\findstr.exe "^KB4474419"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\nse21B6.tmp\NPFInstall.exe
  "C:\Users\Admin\AppData\Local\Temp\nse21B6.tmp\NPFInstall.exe" -n -check_dll
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\SysWOW64\certutil.exe
  certutil -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nse21B6.tmp\roots.p7b"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:872
- C:\Windows\SysWOW64\certutil.exe
  certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nse21B6.tmp\signing.p7b"
  2⤵
  - Manipulates Digital Signatures
  - System Location Discovery: System Language Discovery
  PID:1492
- C:\Program Files\Npcap\NPFInstall.exe
  "C:\Program Files\Npcap\NPFInstall.exe" -n -c
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\pnputil.exe
    pnputil.exe -e
    3⤵
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- C:\Program Files\Npcap\NPFInstall.exe
  "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Program Files\Npcap\NPFInstall.exe
  "C:\Program Files\Npcap\NPFInstall.exe" -n -i
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{66c9f4f3-7301-111b-afe9-114cbb1f8c0b}\NPCAP.inf" "9" "605306be3" "0000000000000544" "WinSta0\Default" "00000000000003E0" "208" "C:\Program Files\Npcap"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{587805ae-4073-3b2d-1fb9-fb70c8be3f43} Global\{7ecb0761-f40d-5409-89e9-767c1d1c6b50} C:\Windows\System32\DriverStore\Temp\{196e59b8-eb61-1e32-dc89-ce74e7985e17}\NPCAP.inf C:\Windows\System32\DriverStore\Temp\{196e59b8-eb61-1e32-dc89-ce74e7985e17}\npcap.cat
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Npcap\npcap.sys

Filesize
65KB

MD5
488c9ab147a3550990341e28f2f446cd

SHA1
e902a2bfbfb3951f4fda867d9c9f06cb24445d29

SHA256
47f39d6bf090abe687c095e15e1d52991fe68af3e93c1618c905699aa9bb2003

SHA512
f1391ba80766f7ae065732809910d27619f948f3ee6fcb8cd43f20cf0b1cf997776485d7bb044f8dbb69fad6d6986c0c0ce8430567c954e239e5fd95e7a4bc15

Download Submit
C:\Program Files\Npcap\NPCAP.inf

Filesize
8KB

MD5
c5a26b7a7af29f1aebe5644d7d78bfb2

SHA1
4a17051c0f902e951d41d5ca5c201c906909ed88

SHA256
ed180fc4830d6032bbb40692bf5a7f6dcff58a64883d34c72c9d2134e9a09748

SHA512
36c13301e99e14f19fd28e20f221263994d5a7c8b27a28cc11cf85256b9bcf7e76da1c3bd54bf1b7798e5fa7ccb4aa818b97ce2ab9f494b6727be8f73c16a655

Download Submit
C:\Program Files\Npcap\NPCAP_wfp.inf

Filesize
2KB

MD5
04849c73048bcd208ff0abba8ea167e9

SHA1
2a37af42c8aa1f335b7eade61a22c46b13dd5429

SHA256
b9e12f5e3cef2ba4a190809ffac4d02649f1d00e95b4f351c63940ae57bec39a

SHA512
d15a717515b85c92033c84b3ce82bd38589b3bfa8cd2ee1dc5e90b45a5845975dec68282ac0bad35a50f619cf1815cc4b65db5e5836c0b22b851f3bbd4a517ce

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
876B

MD5
250d45607a05611dc6fcce937fc9a41a

SHA1
e0c26fbb20700632b4d86f5f34b85d094e348522

SHA256
4fd67e0437cde5755dba135786e8a6fbddd2ea9059149b7153039830f25d742e

SHA512
1a384e5fac4677c3d1c4a7960efa82716284cd6415aeaf2307ce1404a7047003dc7f59492bf2246452a9b22bcb6ba8a0bc471f42f507e254bc26969ac4f0432e

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
ad99ee7d1b1af6ac7957fd5b1a5aa483

SHA1
f7cd0a460f5273ab9ffdff394b5f559dfbb08df7

SHA256
e589092607dfe07bd5c6aaf1675eddc5655175729b20c4ad1e3293aafbe108c5

SHA512
3a7f78ddc9b53bbc5ceb21dd16cc6fe29269659d6619115ebed46aa66a425d169bdb186dd775ad9d8d782acb7f162f4d71a6de54d6bec77b41cd330ae7fd697a

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
35ab0f2f066e7191f4a52165c10cbcd6

SHA1
32d9713590f5a36a338701e7690dc87ce7c5fe43

SHA256
a09c42147f8ef8b1aeb6c9e425429fa5fc4b583859b2eb793a0c612885f801d9

SHA512
1529d3c225d119c47fa488dd41e6fd274e980a88fc101eb56ebc7bd2ecf6f306af36af315aecf9e0209c91fae02fdbaa7199cf8ddfa1105bbcd136f0f605328b

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
2581624c1b77d027eebf4ed81098f027

SHA1
7ff22273fec080958e058c7442a69cc1c92e3cb9

SHA256
0a97debef7b7ccc666e65d58ba53c3877b4eee732fd4827708b8860f3237b282

SHA512
bf6f9bef3da2dcdb35f5abe9e25c0d9ddccfbaba2e38927e4a6c9a6dd03e32895036f15dec7e67413dd6b58e04694ef85a7d15e5fb25aee0c4c97ec82cb344ba

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
9a383dcf9f301e09c99c96bdee519aad

SHA1
bc681801ed062a43409b430259a358821d8916d8

SHA256
a0b2c8edaeaa7d3f221d716c3dcab0f02121983930ab959b5004cd0e6ca8d371

SHA512
422b4669427d15db3ad47e5f74184496f3489c2237ef3d4578d43bdd2f5525cf32596e46c25d8c668fb6ef93d5a3e4e4bc495a82818297c76f24ca626ac2c926

Download Submit
C:\Program Files\Npcap\npcap.cat

Filesize
12KB

MD5
1620ac81649dc1aba17b2195528fb26f

SHA1
a2f6253df6ed60e8efa84e004bf1fcabd2e84772

SHA256
a126d843a984c6db3ff4118283514807e2d1a7721f31c578d661d32700ee9cd8

SHA512
33f949ff7c484b2c8f20d142c6cd68b8ba339614fda4d19c41dbefdab0b3770904777f9eb3ec7b358eeaa1ab0b62e4a2f1a4ad719c08402f45b20470a0b93e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab602C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse21B6.tmp\options.ini

Filesize
2KB

MD5
08b8bd30689a10cb1bcfe734522e9e76

SHA1
91581bfb971e1fb6897c2d8e2a17c65c871f3411

SHA256
0e185010227c3c8190822bbae6041dfc1d5b753fd8050bcef6c9422c487eff6d

SHA512
e5ab2f09fc8d09f37778e6e1994755e17b4cd46495048d05422e8a098aa466673c11ece71a40a03ca4bc977fdf283e56b914d356f46af39b1fd33dbdb10e306b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse21B6.tmp\options.ini

Filesize
2KB

MD5
5e4f6552475d520010bde54a173e8791

SHA1
60d947c828ee88b35bcf2e080d13b954c02bd75c

SHA256
9c9f91f8d60c66a88fe4ad6091dce4be584673b15aee6f53af191526ac559c10

SHA512
c69d6244ecfa7137e40de1cd82a2472a430db83550cde11bcd65516cc3a9e1a69b1721e55220cb8a724e01d2dbe3900b575129d88a6ba6b5ab179a186aa616cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse21B6.tmp\options.ini

Filesize
2KB

MD5
13e97737a6246589891649c8d26770cf

SHA1
9cc20bbb0f6eabd4b6d4064367a530328cbcff52

SHA256
91a66f2ed3db2cce2487972159e21ad26062f8e6ddfff93faeaac5f1f278a6ee

SHA512
3cc5e4dd1b1bc91c9176959a84e65d0e45caa61bbdec96675f7b2d1285b6eb5afd7dc35ff9ba9aead65eb007182cb3f8771e38046e527126bcc0c75dc7b15d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse21B6.tmp\roots.p7b

Filesize
1KB

MD5
397a5848d3696fc6ba0823088fea83db

SHA1
9189985f027de80d4882ab5e01604c59d6fc1f16

SHA256
ad3bca6f2b0ec032c7f1fe1adb186bd73be6a332c868bf16c9765087fff1c1ca

SHA512
66129a206990753967cd98c14a0a3e0e2a73bc4cd10cf84a5a05da7bf20719376989d64c6c7880a3e4754fc74653dd49f2ffeffd55fc4ee5966f65beb857118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse21B6.tmp\signing.p7b

Filesize
7KB

MD5
dd4bc901ef817319791337fb345932e8

SHA1
f8a3454a09d90a09273935020c1418fdb7b7eb7c

SHA256
8e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71

SHA512
0a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5

Download Submit
C:\Windows\Temp\Cab5DEB.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar5F06.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Users\Admin\AppData\Local\Temp\nse21B6.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
\Users\Admin\AppData\Local\Temp\nse21B6.tmp\NPFInstall.exe

Filesize
301KB

MD5
69a2863281739e40702e40fde07ef72d

SHA1
8cf737fb5845a45445483cb1fae533c5a61da028

SHA256
5c2e569db9c5a978004b8fbf04ed372071ad998d759a12e5aaba470df158889e

SHA512
2315a4aa52f579a3633bd9c61c293b9fa78725d8331deee6ca24db70fb2565f431fc0f7f1ee84881b2e34b778ffc91c45e1b694ae517cdd266b0875e7089f178

Download Submit
\Users\Admin\AppData\Local\Temp\nse21B6.tmp\System.dll

Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
\Users\Admin\AppData\Local\Temp\nse21B6.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit