Analysis
-
max time kernel
126s -
max time network
133s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/08/2024, 14:39
General
-
Target
build/packaging/nsis/wireshark-4.5.0-x64.exe
-
Size
140.1MB
-
MD5
3dabcbdceadc3c0f99595728b1aacca2
-
SHA1
9cc72a1b9b8d655ceb9108c4a447f112d8d44511
-
SHA256
45b22782db9f3b15b53d056e4b4b2a725e85d276f8f12125ea7e928b1d8c94a5
-
SHA512
2648c7d202c4728617417a9df8ca0d198ec0793a3e8ea38f63c2c9d7095380cd79776b95f27abe566bb82789ddfae657ded33876fe13194046663b3ed35aed61
-
SSDEEP
3145728:dmDxMO97QySz96BBgMDsonZWh5MPj0Qw/2w0FjIXvibrMpv3KgoakU2Tmu65:mjOv4BvDslh27K4jIXvf3KW2Tmu65
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
pid Process 2552 powershell.exe 864 powershell.exe 5056 powershell.exe 1112 powershell.exe 2984 powershell.exe 916 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET1DF3.tmp NPFInstall.exe File created C:\Windows\system32\DRIVERS\SET1DF3.tmp NPFInstall.exe File opened for modification C:\Windows\system32\DRIVERS\npcap.sys NPFInstall.exe -
Manipulates Digital Signatures 1 TTPs 8 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3\Blob = 030000000100000014000000e1d782a8e191beef6bca1691b5aab494a6249bf3200000000100000002050000308204fe308203e6a00302010202100d424ae0be3a88ff604021ce1400f0dd300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e67204341301e170d3231303130313030303030305a170d3331303130363030303030305a3048310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3120301e0603550403131744696769436572742054696d657374616d70203230323130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2e6618467c58af50d08a445ca636b51d73a1142bd0a75754d94b40c50b52610fe1dc86f916b0c96e71a5c48ef44e5bf9b61cd1591625ab8ff670b9c63fd366a81fa29f8dd2b7085de0218f3786dbc7df9c76d093dbe6a7687e98abdf8845d1e76c9e4c676763a53d1d1d35a368fc6a3e12f1b3ab761d673ec4e6d338a7c5d452d4bb150e6413a375686dc93238df75025e864e6ddd38f2f57b58720eb0e8e2cd523daf44d7846e3038331294a5c0c318a4a8c88c5f7305af914af155f6c434909fd262353f68d63e81aab5bb11d30c29b6982b4dbfc5654bc1fa187abbe7a5b0a202f4b09c995a78db2fad6638b4ea5721cee9f7a0173f819d6fe0d4984bd010203010001a38201b8308201b4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830410603551d20043a3038303606096086480186fd6c07013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053301f0603551d23041830168014f4b6e1201dfe29aed2e461a5b2a225b2c817356e301d0603551d0e041604143644868ea4bab066bebc282d1d4436dde36a7abc30710603551d1f046a30683032a030a02e862c687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c3032a030a02e862c687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c30818506082b0601050507010104793077302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304f06082b060105050730028643687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572745348413241737375726564494454696d657374616d70696e6743412e637274300d06092a864886f70d01010b05000382010100481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C0D087ECDCC76D1084ABE00F1FEE5040400AE37\Blob = 0300000001000000140000003c0d087ecdcc76d1084abe00f1fee5040400ae372000000001000000c6050000308205c2308204aaa00302010202100aa60783ebb5076ebc2d12da9b04c290300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3231303530353030303030305a170d3234303631303233353935395a3081d2311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a6ec814ee2c7075e2e29ac7ebd10b6188055929370a213b83fb6e337d82ed0756d15e267f6bc645e6db5bb1d586ef1098ead1595147d03897af04b666aa5a50def2b3af23974896c6fb4f5246baf3ec374dbfd90eeec7575ffb11a6efea7a0d7da0adb04eaf000b1ad520d9e9529b2a8cf420998d4c7a46c1f95e405e35f69ad8c05d62df0f9745017a6284134afba26f905d900da1c412200e6ca5c6b148f3f785aa0ebe35ea9160644bd6924b54625eb404ab39db981f6b216b6dd960930a1443b26aab08cdbcf1c5fd74dbb56c3e9df791f8429401dee5869e90c39f95000fc616b5ac8396b588e24407235ea074328c608112f6cb4f07347cd4d28d28ab90203010001a38201f7308201f3301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e04160414c5b210483c7598f90d32838cd0763d3cd85fef5130350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304a0603551d2004433041303606096086480186fd6c03023029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008b2182887ada0e08e4afe89019ded16e88ff6ff1b12fd9b2994b945b8c76c63862ae35a1751672c474c8575a039250105e346bb7ce7ae1f2494e760de418b9453f1bbac9255b0dccafd296adb3cdb49d46d54c3413bfc34a3e640e244da7b1e1dbd1b04cea414ff64fe57f0ef28944a42e41065548e4834f2b05d4aae8516a1f154c5b09af25fe059a69a7dc75a7deb4cf3068c402614ece0509edf02b0968b5c8d1081cdafcfba3b7c1599256e6685ef7391f46746eaf829bc8fd40f55be70a3fc51142648b78a903e750158328cb80d54aaddce82df8fe983b0e36af4dafbdbdffe8896bee9a93c370e77f735fe9c42fc2259a3e5672e9f75f37ecf7104e53 certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9\Blob = 0300000001000000140000004ce89794fe2d2f7e30121f10bcf76ac3ccf77ca92000000001000000c7050000308205c3308204aba003020102021009256314069e7e6a88cb823075c0d9c9300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3230303530313030303030305a170d3231303530373132303030305a3081d231133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a88cd713346c50a5cd2a62900419f091330f9820b73b38785a8b5a25ceda8e11b71b2d11ff4b0c18cad405a2a195a6462619fa3ddf6d14466a350d1cf1c6ad48cce166fe6011a62ee62751046dd264b1cc145c4a4354537cec1ae615b6b8566a28ddf3b510fee92023dbe4190b44bb4174f94c4ec62256bd4aa5ba541ee833388db8cc411365e094ee6314eaff59ca6659bb6388300e7ffbd0f8b299889b8e3ea526f8ca926ded79eac89a6b068757ae428022e2602ec98babf5998216b0c28a709129a1300872878d9971e3130826a7d1ce894fe649a017003f07ee3c53ca0cba998fab097e573723fbd3e0ea1b742dd6d076b4c2284b93500021a7d27109630203010001a38201f8308201f4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604140a9c208099309acdddf9c9909a03890dcd30c8ea30350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010042368fc33025a2a1338cf35a08d00e263958f825e79b6d3af23e0e4e4cf59bc8502022d452cbba14a53274e3a12a5b01f4aee16abfcb1b28d63484a0ae1995c9759c6f0970254da8902fb479f5f7869a566aa285f2c28e50096dfd2e14a9ecf0000963c570d2338def108dfe66b1e44d22182826749871a7f3977eba4976910f1f0de866fc75b918c1a9f466fcf96ae90df932071b9c770f0f3193f8ca500abe52cc316549403a5ca5b5422d1ebffffc3cbe3b926de552f493b53c6570fdd0736550f080c2db204b03bc00ff724241581b5dfb0dff7b8f2cc28f136c19cca8bd4b3c3d81404e69f4598e7b5458e41c6f2e6622a212d28c2615565782a1f66987 certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3\Blob = 03000000010000001400000060ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e32000000001000000c0060000308206bc308205a4a003020102021003f1b4e15f3a82f1149678b3d7d8475c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3132303431383132303030305a170d3237303431383132303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e672043412028534841322930820122300d06092a864886f70d01010105000382010f003082010a0282010100a753fa0fb2b513f164cf8480fcae8035d1b6d7c7a32cac1a2cacf184ac3a35123a9291ba57e4c4c9f32fa8483cb7d66edc9722ba517961af432f0db79bb44931ae44583ea4a196a7874f237ec36c652490553ea1ca237cc542e9c47a62459b7dde6374cb9e6325f8849a9aad454fae7d1fc813cb759bc9e1e18af80b0c98f4ca3ed045aa7a1ea558933634be2b2e2b315866b432109f9df052a1efe83ed376f2405adcfa6a3d1b4bad76b08c5cee36ba83ea30a84cdef10b2a584188ae0089ab03d11682202276eb5e54381262e1d27024dbed1f70d26409802de2b69dce1ff2bb21f36cdbd8b3197b8a509fefec360a5c9ab74ad308a03979fdddbf3d3a09250203010001a38203583082035430120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307f06082b0601050507010104733071302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304906082b06010505073002863d687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63727430818f0603551d1f0481873081843040a03ea03c863a687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c3040a03ea03c863a687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0302308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e301d0603551d0e041604148fe87ef06d326a000523c770976a3a90ff6bead4301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d01010b0500038201010019334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480 certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\Blob = 0300000001000000140000003ba63a6e4841355772debef9cdcf4d5af353a2972000000001000000350500003082053130820419a00302010202100aa125d6d6321b7e41e405da3697c215300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3136303130373132303030305a170d3331303130373132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd032ee4bcd8f7fdda9ba8299c539542857b6234ac40e07453351107dd0f97d4d687ee7b6a0f48db388e497bf63219098bf13bc57d3c3e17e08d66a140038f72e1e3beecca6f63259fe5f653fe09bebe34647061a557e0b277ec0a2f5a0e0de223f0eff7e95fbf3a3ba223e18ac11e4f099036d3b857c09d3ee5dc89a0b54e3a809716be0cf22100f75cf71724e0aaddf403a5cb751e1a17914c64d2423305dbcec3c606aac2f07ccfdf0ea47d988505efd666e56612729898451e682e74650fd942a2ca7e4753eba980f847f9f3114d6add5f264cb7b1e05d084197217f11706ef3dcdd64def0642fda2532a4f851dc41d3cafcfdaac10f5ddacace956ff930203010001a38201ce308201ca301d0603551d0e04160414f4b6e1201dfe29aed2e461a5b2a225b2c817356e301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f30120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070308307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c30500603551d20044930473038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c0701300d06092a864886f70d01010b05000382010100719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52 certutil.exe -
Executes dropped EXE 6 IoCs
pid Process 4380 npcap-1.79.exe 892 NPFInstall.exe 1824 NPFInstall.exe 3368 NPFInstall.exe 2060 NPFInstall.exe 3612 Wireshark.exe -
Loads dropped DLL 64 IoCs
pid Process 2820 wireshark-4.5.0-x64.exe 2820 wireshark-4.5.0-x64.exe 2820 wireshark-4.5.0-x64.exe 2820 wireshark-4.5.0-x64.exe 2820 wireshark-4.5.0-x64.exe 2820 wireshark-4.5.0-x64.exe 2820 wireshark-4.5.0-x64.exe 2820 wireshark-4.5.0-x64.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 4380 npcap-1.79.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe 3612 Wireshark.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 34 IoCs
description ioc Process File created C:\Windows\system32\Npcap\wpcap.dll npcap-1.79.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0d747bae-271a-6e4f-ad8e-1d00175e9ce5}\npcap.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_3debe5e78bab1bca\netbrdg.PNF NPFInstall.exe File created C:\Windows\SysWOW64\Npcap\Packet.dll npcap-1.79.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0d747bae-271a-6e4f-ad8e-1d00175e9ce5}\SET1B92.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0d747bae-271a-6e4f-ad8e-1d00175e9ce5}\SET1B93.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0d747bae-271a-6e4f-ad8e-1d00175e9ce5}\npcap.sys DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\NPCAP.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_56c163d21e8c2b62\netserv.PNF NPFInstall.exe File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_0525128a3d54207e\netnwifi.PNF NPFInstall.exe File created C:\Windows\system32\Npcap\NpcapHelper.exe npcap-1.79.exe File created C:\Windows\system32\Npcap\WlanHelper.exe npcap-1.79.exe File created C:\Windows\System32\DriverStore\Temp\{0d747bae-271a-6e4f-ad8e-1d00175e9ce5}\SET1B92.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0d747bae-271a-6e4f-ad8e-1d00175e9ce5}\SET1B94.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF NPFInstall.exe File created C:\Windows\SysWOW64\Npcap\wpcap.dll npcap-1.79.exe File created C:\Windows\SysWOW64\Npcap\NpcapHelper.exe npcap-1.79.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0d747bae-271a-6e4f-ad8e-1d00175e9ce5}\NPCAP.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{0d747bae-271a-6e4f-ad8e-1d00175e9ce5}\SET1B94.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_882899f2b1006416\netvwififlt.PNF NPFInstall.exe File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_8074ac14f1ab2957\netpacer.PNF NPFInstall.exe File created C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.PNF NPFInstall.exe File created C:\Windows\SysWOW64\Npcap\WlanHelper.exe npcap-1.79.exe File created C:\Windows\system32\Npcap\Packet.dll npcap-1.79.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{0d747bae-271a-6e4f-ad8e-1d00175e9ce5} DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{0d747bae-271a-6e4f-ad8e-1d00175e9ce5}\SET1B93.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_d34968d7b3e6da21\ndiscap.PNF NPFInstall.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_bc519c177a90877a\c_netservice.PNF NPFInstall.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_72f156a5ee3f59e8\netrass.PNF NPFInstall.exe File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_10acfa4b924dd181\netnb.PNF NPFInstall.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\wireshark\libp11-kit-0.dll wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.rfc6929 wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.ruckus wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChStatSametime.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\ws-details-pane.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.asn wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.rfc2866 wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.rfc6572 wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\diameter\chargecontrol.xml wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\diameter\Vodafone.xml wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\toolbar\filter-toolbar-add.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChIntroHistory.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChTelIAX2Analysis.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.propel wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\platforms\qwindows.dll wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChCustCommandLine.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\plugins\4.5\epan\wimaxmacphy.dll wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\ws-wireless-key-examples.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChIOPacketRangeSection.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChWorkDefineFilterSection.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\wireshark.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\diameter\Microsoft.xml wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\AppToolsreordercap.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\ws-list-pane.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Qt6Multimedia.dll wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChUseFileMenuSection.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChWorkMarkPacketSection.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\ws-filter-macros.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\ws-print.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.infonet wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.meru wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\generic\qtuiotouchplugin.dll wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.fortinet wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\AppMessagesDetails.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.motorola.illegal wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChIOExportSection.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\ws-export-specified-packets.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.tripplite wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\editcap.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\related-other.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChUseStatisticsMenuSection.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.brocade wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.sonicwall wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChStatistics.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.starent.vsa1 wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChMateConfigurationLibrary.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\important.svg wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\toolbar\filter-toolbar-recent.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.bintec wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.smartsharesystems wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\toolbar\zoom-original.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.riverstone wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.gemtek wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\dtds\dc.dtd wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\ws-export-pdus-to-file.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\diameter\nasreq.xml wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\translations\wireshark_it.qm wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\AppProtocols.html wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\ws-bluetooth-devices.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\images\ws-save-as-qt5.png wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.alteon wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.motorola wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\radius\dictionary.rfc2865 wireshark-4.5.0-x64.exe File created C:\Program Files\wireshark\Wireshark User's Guide\ChWorkShiftTimePacketSection.html wireshark-4.5.0-x64.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\INF\oem3.PNF NPFInstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log NPFInstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcap-1.79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wireshark-4.5.0-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks SCSI registry key(s) 3 TTPs 38 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe -
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Wireshark.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Wireshark.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Wireshark.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Wireshark.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Wireshark.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Wireshark.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Wireshark.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rf5\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.syc\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tpc wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.atc\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fdc\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pcap\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mplog wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ntar wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.out\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings firefox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\ = "Wireshark capture file" wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ems\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.atc wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pcapng wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wpz wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open\command\ = "\"C:\\Program Files\\wireshark\\wireshark.exe\" \"%1\"" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\DefaultIcon wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.apc wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wpc wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wpz\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pklg\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tr1 wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scap\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.trc\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bfr wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ipfix\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pcapng\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.acp\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open\command wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5vw\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.acp wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ems wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.enc wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ntar\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rf5 wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rtp\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\.cap wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ipfix wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tr1\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wpc\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5vw wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\.cap\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\.erf\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pkt wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vwr wireshark-4.5.0-x64.exe Key created \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\.erf wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mplog\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pcap wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.syc wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.trc wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rtp wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.enc\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.scap wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lcap wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lcap\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pkt\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.snoop\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bfr\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fdc wireshark-4.5.0-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell wireshark-4.5.0-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.apc\ = "wireshark-capture-file" wireshark-4.5.0-x64.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3612 Wireshark.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 892 NPFInstall.exe 892 NPFInstall.exe 2984 powershell.exe 2984 powershell.exe 916 powershell.exe 916 powershell.exe 2552 powershell.exe 2552 powershell.exe 864 powershell.exe 864 powershell.exe 5056 powershell.exe 5056 powershell.exe 1112 powershell.exe 1112 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3612 Wireshark.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 892 NPFInstall.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 864 powershell.exe Token: SeAuditPrivilege 2932 svchost.exe Token: SeSecurityPrivilege 2932 svchost.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeIncreaseQuotaPrivilege 1112 powershell.exe Token: SeSecurityPrivilege 1112 powershell.exe Token: SeTakeOwnershipPrivilege 1112 powershell.exe Token: SeLoadDriverPrivilege 1112 powershell.exe Token: SeSystemProfilePrivilege 1112 powershell.exe Token: SeSystemtimePrivilege 1112 powershell.exe Token: SeProfSingleProcessPrivilege 1112 powershell.exe Token: SeIncBasePriorityPrivilege 1112 powershell.exe Token: SeCreatePagefilePrivilege 1112 powershell.exe Token: SeBackupPrivilege 1112 powershell.exe Token: SeRestorePrivilege 1112 powershell.exe Token: SeShutdownPrivilege 1112 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeSystemEnvironmentPrivilege 1112 powershell.exe Token: SeRemoteShutdownPrivilege 1112 powershell.exe Token: SeUndockPrivilege 1112 powershell.exe Token: SeManageVolumePrivilege 1112 powershell.exe Token: 33 1112 powershell.exe Token: 34 1112 powershell.exe Token: 35 1112 powershell.exe Token: 36 1112 powershell.exe Token: SeIncreaseQuotaPrivilege 1112 powershell.exe Token: SeSecurityPrivilege 1112 powershell.exe Token: SeTakeOwnershipPrivilege 1112 powershell.exe Token: SeLoadDriverPrivilege 1112 powershell.exe Token: SeSystemProfilePrivilege 1112 powershell.exe Token: SeSystemtimePrivilege 1112 powershell.exe Token: SeProfSingleProcessPrivilege 1112 powershell.exe Token: SeIncBasePriorityPrivilege 1112 powershell.exe Token: SeCreatePagefilePrivilege 1112 powershell.exe Token: SeBackupPrivilege 1112 powershell.exe Token: SeRestorePrivilege 1112 powershell.exe Token: SeShutdownPrivilege 1112 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeSystemEnvironmentPrivilege 1112 powershell.exe Token: SeRemoteShutdownPrivilege 1112 powershell.exe Token: SeUndockPrivilege 1112 powershell.exe Token: SeManageVolumePrivilege 1112 powershell.exe Token: 33 1112 powershell.exe Token: 34 1112 powershell.exe Token: 35 1112 powershell.exe Token: 36 1112 powershell.exe Token: SeIncreaseQuotaPrivilege 1112 powershell.exe Token: SeSecurityPrivilege 1112 powershell.exe Token: SeTakeOwnershipPrivilege 1112 powershell.exe Token: SeLoadDriverPrivilege 1112 powershell.exe Token: SeSystemProfilePrivilege 1112 powershell.exe Token: SeSystemtimePrivilege 1112 powershell.exe Token: SeProfSingleProcessPrivilege 1112 powershell.exe Token: SeIncBasePriorityPrivilege 1112 powershell.exe Token: SeCreatePagefilePrivilege 1112 powershell.exe Token: SeBackupPrivilege 1112 powershell.exe Token: SeRestorePrivilege 1112 powershell.exe Token: SeShutdownPrivilege 1112 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe 6008 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 6008 firefox.exe 3900 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2820 wrote to memory of 4380 2820 wireshark-4.5.0-x64.exe 81 PID 2820 wrote to memory of 4380 2820 wireshark-4.5.0-x64.exe 81 PID 2820 wrote to memory of 4380 2820 wireshark-4.5.0-x64.exe 81 PID 4380 wrote to memory of 892 4380 npcap-1.79.exe 82 PID 4380 wrote to memory of 892 4380 npcap-1.79.exe 82 PID 4380 wrote to memory of 2984 4380 npcap-1.79.exe 84 PID 4380 wrote to memory of 2984 4380 npcap-1.79.exe 84 PID 4380 wrote to memory of 2984 4380 npcap-1.79.exe 84 PID 4380 wrote to memory of 916 4380 npcap-1.79.exe 86 PID 4380 wrote to memory of 916 4380 npcap-1.79.exe 86 PID 4380 wrote to memory of 916 4380 npcap-1.79.exe 86 PID 916 wrote to memory of 4576 916 powershell.exe 88 PID 916 wrote to memory of 4576 916 powershell.exe 88 PID 916 wrote to memory of 4576 916 powershell.exe 88 PID 4380 wrote to memory of 3336 4380 npcap-1.79.exe 89 PID 4380 wrote to memory of 3336 4380 npcap-1.79.exe 89 PID 4380 wrote to memory of 3336 4380 npcap-1.79.exe 89 PID 4380 wrote to memory of 1712 4380 npcap-1.79.exe 91 PID 4380 wrote to memory of 1712 4380 npcap-1.79.exe 91 PID 4380 wrote to memory of 1712 4380 npcap-1.79.exe 91 PID 4380 wrote to memory of 2552 4380 npcap-1.79.exe 93 PID 4380 wrote to memory of 2552 4380 npcap-1.79.exe 93 PID 4380 wrote to memory of 2552 4380 npcap-1.79.exe 93 PID 4380 wrote to memory of 864 4380 npcap-1.79.exe 95 PID 4380 wrote to memory of 864 4380 npcap-1.79.exe 95 PID 4380 wrote to memory of 864 4380 npcap-1.79.exe 95 PID 864 wrote to memory of 2628 864 powershell.exe 97 PID 864 wrote to memory of 2628 864 powershell.exe 97 PID 864 wrote to memory of 2628 864 powershell.exe 97 PID 4380 wrote to memory of 2196 4380 npcap-1.79.exe 98 PID 4380 wrote to memory of 2196 4380 npcap-1.79.exe 98 PID 4380 wrote to memory of 2196 4380 npcap-1.79.exe 98 PID 4380 wrote to memory of 4784 4380 npcap-1.79.exe 100 PID 4380 wrote to memory of 4784 4380 npcap-1.79.exe 100 PID 4380 wrote to memory of 4784 4380 npcap-1.79.exe 100 PID 4380 wrote to memory of 3304 4380 npcap-1.79.exe 102 PID 4380 wrote to memory of 3304 4380 npcap-1.79.exe 102 PID 4380 wrote to memory of 3304 4380 npcap-1.79.exe 102 PID 4380 wrote to memory of 1824 4380 npcap-1.79.exe 104 PID 4380 wrote to memory of 1824 4380 npcap-1.79.exe 104 PID 1824 wrote to memory of 1652 1824 NPFInstall.exe 106 PID 1824 wrote to memory of 1652 1824 NPFInstall.exe 106 PID 4380 wrote to memory of 3368 4380 npcap-1.79.exe 108 PID 4380 wrote to memory of 3368 4380 npcap-1.79.exe 108 PID 4380 wrote to memory of 2060 4380 npcap-1.79.exe 110 PID 4380 wrote to memory of 2060 4380 npcap-1.79.exe 110 PID 2932 wrote to memory of 4752 2932 svchost.exe 114 PID 2932 wrote to memory of 4752 2932 svchost.exe 114 PID 4380 wrote to memory of 5056 4380 npcap-1.79.exe 115 PID 4380 wrote to memory of 5056 4380 npcap-1.79.exe 115 PID 4380 wrote to memory of 5056 4380 npcap-1.79.exe 115 PID 4380 wrote to memory of 1112 4380 npcap-1.79.exe 117 PID 4380 wrote to memory of 1112 4380 npcap-1.79.exe 117 PID 4380 wrote to memory of 1112 4380 npcap-1.79.exe 117 PID 5924 wrote to memory of 6008 5924 firefox.exe 124 PID 5924 wrote to memory of 6008 5924 firefox.exe 124 PID 5924 wrote to memory of 6008 5924 firefox.exe 124 PID 5924 wrote to memory of 6008 5924 firefox.exe 124 PID 5924 wrote to memory of 6008 5924 firefox.exe 124 PID 5924 wrote to memory of 6008 5924 firefox.exe 124 PID 5924 wrote to memory of 6008 5924 firefox.exe 124 PID 5924 wrote to memory of 6008 5924 firefox.exe 124 PID 5924 wrote to memory of 6008 5924 firefox.exe 124 PID 5924 wrote to memory of 6008 5924 firefox.exe 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\build\packaging\nsis\wireshark-4.5.0-x64.exe"C:\Users\Admin\AppData\Local\Temp\build\packaging\nsis\wireshark-4.5.0-x64.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Program Files\wireshark\npcap-1.79.exe"C:\Program Files\wireshark\npcap-1.79.exe" /winpcap_mode=no /loopback_support=no2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\nssD8CE.tmp\NPFInstall.exe"C:\Users\Admin\AppData\Local\Temp\nssD8CE.tmp\NPFInstall.exe" -n -check_dll3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43){certutil.exe -verifystore 'Root' '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43}}"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -verifystore Root 0563b8630d62d75abbc8ab1e4bdfb5a899b24d434⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
PID:4576
-
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -verifystore "Root" "0563b8630d62d75abbc8ab1e4bdfb5a899b24d43"3⤵
- System Location Discovery: System Language Discovery
PID:3336
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nssD8CE.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst"3⤵
- System Location Discovery: System Language Discovery
PID:1712
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25){certutil.exe -verifystore 'Root' '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25}}"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -verifystore Root 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc254⤵
- System Location Discovery: System Language Discovery
PID:2628
-
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -verifystore "Root" "5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25"3⤵
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nssD8CE.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst"3⤵
- System Location Discovery: System Language Discovery
PID:4784
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nssD8CE.tmp\signing.p7b"3⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
PID:3304
-
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -c3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SYSTEM32\pnputil.exepnputil.exe -e4⤵PID:1652
-
-
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -iw3⤵
- Executes dropped EXE
PID:3368
-
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -i3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2060
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{82f9caea-e682-1046-ac6d-afb0aa360e80}\NPCAP.inf" "9" "405306be3" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Npcap"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4752
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5924 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6008 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fdd62de-16ac-4280-a781-f267a2b9e42b} 6008 "\\.\pipe\gecko-crash-server-pipe.6008" gpu3⤵PID:4276
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a090d953-81d5-4113-b549-0d8b5fad49ce} 6008 "\\.\pipe\gecko-crash-server-pipe.6008" socket3⤵PID:1116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2780 -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 2896 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59d21f33-8f55-44a9-8df2-8618d7d07237} 6008 "\\.\pipe\gecko-crash-server-pipe.6008" tab3⤵PID:4796
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3588 -childID 2 -isForBrowser -prefsHandle 2696 -prefMapHandle 3532 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf5c812d-9590-416f-8fdb-78e4965a45fc} 6008 "\\.\pipe\gecko-crash-server-pipe.6008" tab3⤵PID:2692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4232 -prefMapHandle 4228 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4c5ca71-e472-4ea5-a85d-67e0566d152e} 6008 "\\.\pipe\gecko-crash-server-pipe.6008" utility3⤵
- Checks processor information in registry
PID:1780
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5368 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aec43026-b005-4267-b02d-08d02401c9ff} 6008 "\\.\pipe\gecko-crash-server-pipe.6008" tab3⤵PID:5324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a1ac88b-b499-46d9-af14-cd7ba76d32ad} 6008 "\\.\pipe\gecko-crash-server-pipe.6008" tab3⤵PID:5336
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5784 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2112aa3-de75-4691-8087-8c38b5b512ae} 6008 "\\.\pipe\gecko-crash-server-pipe.6008" tab3⤵PID:5348
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3900
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2972
-
C:\Program Files\wireshark\Wireshark.exe"C:\Program Files\wireshark\Wireshark.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:3612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5851cc374a87e0a83956a29c762c008c5
SHA11f1c907e687631c551caaaffb0de28dfcfb03c01
SHA256f05d0dfba14aceb7cb27b49ec8c4f1ce179813e0cf89a32855d7ea2fda91e124
SHA512260c822dbb2fd53cec2ad352e97a42a665fc030de9cf0b223fed3a945822ccbd7e0e12fa0873646aaf38f5f7b93428f29c0bed3709fbaaa83a3dab6dc39a2dc7
-
Filesize
68KB
MD51637086aa0ba4637d2788dc20a0cc67c
SHA14628fe7561526714361764ec637339b21ea88b60
SHA256734c62543768e37c36386b4a07582bb5b322a60d5c997626465725c5b5cef978
SHA51292fb3dd73873ef8a888823f14911f52fe7c11a06bf4172929783a3f3106ea6298d660389cfca902153424b8df64fbe9dc9c5651228d5eb72a650655df21f7cdc
-
Filesize
8KB
MD5ed7304fce3f5e3de28435d3f9e8b4156
SHA145bc86c10386c9368ac482f341999a289dd46897
SHA25664be5edac3eba224120138c6dea3e4a75740e23324fba5a0799499402d96a258
SHA512d7532a12b726869e430745da536b7e1e85ce5871bbf3c3cf5fb4261f5b3d5d4307e6267a8b5f53a6719369e261c66c85c05f3941974594ae4864b16242cae41b
-
Filesize
2KB
MD58ca4504e8e9b66d925107a8f13d9babb
SHA1a1d34e2a6e9ce395da0702a9b1e1ec815dc144f0
SHA256d1b2726787010252e4dec2a1a47fdd42d86b917c9c41f8baab2219de938b90cb
SHA5124c3fe98134c6e7c180829f82374b22ab052e1cadd2d2ff71ff6eefa4e2a7ff21b8bff14ff21677099d2656a0c216c40abb9246860e70be9f254d73d58b624c38
-
Filesize
1KB
MD5a7de1a6d83b700584eaa1437cf0a3cea
SHA17653b1247915e5fd6141dd3d2f8c5cfc9401e224
SHA2561456378eec931e4514676a81e2f8caca854ae4033a6a4c268180ae808cf19eca
SHA512deb83d6255d2652dcd9a5a0c9bd6987fcbf466ac28bdfc93b17d5bca6c2229850d9bb7e9e8b7aa36e957354dc2c7e765024ce97c4c81f92f49cecd6e94e0b024
-
Filesize
2KB
MD5f64ff041b23e4822730279987271fee0
SHA125699899ad929f3f5f0985ae0c4f4948192d3ec1
SHA2567860df2cca134bfa62fda18aa9f5e6e5a1cb5256defaa17ebbafa41cab60d113
SHA5124095e6a875b037a7ae93d3c3c8df0c10e73f5444e9b5eac34aa6597a0f288fc851aa164cc525151b25aff11d86fcf0aea1127887d599d88f0966fa65813506b2
-
Filesize
3KB
MD5c7e833b4ca5533ec21a204f7d7de1d3b
SHA14a43032ea7c793eff6a2db4f2e1480dd58b90952
SHA25627aa3141f00142b6ae4dd2420defb763087cf9a00297ebd8b5f47129bd2553ed
SHA51215cb551afbc54bc36c34a782f72f4bd5a77ddce543fbafaa2bcaf56e6bf611f8f0766b9699aed30acf20b255af34a8628ef18d01f19af8eee58816b65d323a41
-
Filesize
4KB
MD5d1bac023bbf774d41dc24d4ac73560ae
SHA1c54d038f62fca8f537a5348421c7bbe70ce2cec0
SHA256a711177c1398ac71511f56f1215e5e885c4ea8d06adcdae3c8a7f8f4270c08d4
SHA512df403b073898ae08e349eca3aa29dde0bfd09b575c34a24298616242d12313b0ee63649c2529483d29e1d2073e8285d66e3c4223c6817eed6cde67bc0a274f76
-
Filesize
4KB
MD5924dd62894e5bb430728d9db055d778a
SHA1b89c5ec6c3d405e4d5e90db13bee69b267d8f8ba
SHA25656725678750a58560698ba16c0cd76d85405a3a00e14a9e033c1f3b14716f4a1
SHA5125e3edf5c6448bcd3e64268de1eaf05894bcac1c9a05ba97be804019223a95b94669648f66729aac84255718b68a16a460692cc522c5005812d617245b9ce48fb
-
Filesize
393B
MD5a7dd7832fb1745725e6e68742a33e16d
SHA1730c1cb98b11be92fdd3bc7719e462e9943316ac
SHA256c59f93ef85820fd6d0b223fba78c720f130ddc009be219284a9e8d3bd21ae817
SHA512a76551c5e630f3ac7dc121501aa8606fe7d63cfd1edf70bf0768ac2fb64f3475a5bfc1b5ce44cff3169f80a6133e731fe783d0719b0b9828cece2c906b5a715d
-
Filesize
926B
MD5b53e80e92f6b02398057b648788ce24d
SHA1a5fb9bb28283d96e264f9901f2bece0212eaf6cc
SHA256482129b342bccd03e1da1dfcbd6c690c410cc5de158980203f76e3ebcdb9ab51
SHA512994886d1150496d26bad2b9b9f87fa8b8eed7ac0eb1d03a56cfac48cbd8ab1e4b0d88972773d61b35d8c63a67bfdfe30cb93d0b2f56529371b2205eaf5b74498
-
Filesize
906KB
MD5bfac021919090c9023159c0e3972685b
SHA18fc30beeb3e2c41a79f94bb46d6534e63336a903
SHA2568838301cc288cb3266d15e56a5ba276d465ec6019ce3e17e2b9a08b9a0d4b230
SHA512390c1cb5783d69f52570b5c0632abda3113241c30e71cc229f43aac403435e2abf0adeb31e560769f60edd06f62ed5fecb4f62d439304802a712c8b35c4efae6
-
Filesize
25.1MB
MD5d13cf05a080fb39f93b58d443361dfde
SHA1c57940ac19701c469258f6cc86c4a52c7e3f69c1
SHA256448d0cd49cfc47d1d2bc8951da44bebbe22966558b00140c1719d19e77667438
SHA51255e46655c028b969869e54dc778676f4701fdb48ea9af3f48eb4e029fc3a051f1e06db5db512f1d0d52e3aca8872cbfd6bf81411153362a340bdf0942ef8adad
-
Filesize
66KB
MD5aaf9881ca83e681cb00c5fb44b7f9799
SHA17cc722f3832f75c63c1a156f1b26125af38dabfd
SHA2567fa357db9653b61d72657b5539680a2fef2b1fc3604477c5258bf08f165f017d
SHA512d14030e37128763cef84bc5cba8ea4aa2c609c068eb218e3f04c15493ba0c43232f8668365cd6dc3d93feb48eb33469614238762947605d0cd9250b1491cebc5
-
Filesize
1.1MB
MD5a4d7e47df742f62080bf845d606045b4
SHA1723743dc9fa4a190452a7ffc971adfaac91606fa
SHA256a95577ebbc67fc45b319e2ef3a55f4e9b211fe82ed4cb9d8be6b1a9e2425ce53
SHA5128582b51b5fea23de43803fa925d13f1eb6d91b708be133be745d7d6155082cd131c9b62dc6a08b77f419a239efe6eb55a98f02f5783c7cd46e284ec3241fc2ee
-
Filesize
2KB
MD508a41b2a5cba04117cc86ac7628814fd
SHA127ef154216bc996c5d6726072715f176ac349fc5
SHA2568f2c523d6b851d6a91ebad962f18f005e8ab564efc5a2c3325a2d7ddd469f0a0
SHA512df9d99b0cd8de5b2da7c74520c66a35acfa0dbf6fe927e3146a63d52c0808792a1cb56c36645810a4eccf3ada536f931e0e4b5e1472c01a709fda4d3eafb53e7
-
Filesize
17KB
MD5ece761185d91c00d5aa620b1c18d45ec
SHA19d4bc72467a805d8a238ab05cbdce4efe3d41003
SHA256639ecd2e696874bc4ba626f2a81767c1b76b5a33805d3cb2360098c12e8a0673
SHA5128cea9d9c959d637582641d63d873392ab308f000837408bc31b5cc48bf561601a29ac030ece12c7a404310ab680b3cd99ba48ffb67ca559e54c73e4f3ae6f329
-
Filesize
16KB
MD5ffcc8be8b7819dcf5659ba12c590cc58
SHA1e03255a32ccf93ff44a35dcb0b1f902188e4735d
SHA256251a463724dc69b1d7f8e452399e10868cee86e33190e6b1a236c4527d18f6ea
SHA512c5e2ecfdec89742b01b2eddfba21f585c397d8ed25845dc9cd7f1df3b51441f8043661bc83b0b47789ce0c411751eaaa0e1471f4d69834c4f1e0662ee7edff1f
-
Filesize
17KB
MD51e841cc21a84ce1a4c5c1024df47375d
SHA1281136135a20777d707a0b3e32a6613c7f210299
SHA2566d698ddcfe38c793adc49c9589cd365d42084dd2f44ff26d294114b1c5c0b063
SHA512fa845c374f4cc9d5cbae7c2e5c1c087659de4980fca09f8b8526db8f19a9e7d1ea4762306e33fa4f8f31d896a64f6c8145df0f8d1910553b4025ca79cf36adad
-
Filesize
16KB
MD5a72a658d14306582df4b335459b3b603
SHA11064f33bef9c11392bc00c2aaf4625b8f0a38e73
SHA2562b873447f978379f615665c803581e2eee803d468efb9e1da1f683a20ecc6a14
SHA512250aed8ba9253a9d47f7d13f7a5b2abe33d0b8c8836cbea6a0619c4202a41cbf6fe3d0f69ef804ea3905437ef854db556a5c11b37af42c98e43535ed52557dc1
-
Filesize
17KB
MD59fb4476a61ca8e5a4dbc28bb86920ddb
SHA16c7e1a20664cb7a5d42adb0e89d8178f36546825
SHA256ff16610f82859a146291a1744d7f70c0193b739b87d01fb1101c930e0f0a55ac
SHA512f9268001a8cd1c7f7dc9b6584a13f4b0b3611956897a82df8628af4bbcefe622c79037e1452c6fe06cc3abf92a9cd6e2b68bd86ba1e27f6a4a19e597793aacdb
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5ff07e178ba8fd05e3b7335166fde1825
SHA1dc44452f11afdd25559d2098f0c045c9b2a28517
SHA256716adcc5d6f564511bd854c6017cff26f1bd0925f2b9bce4b098b579581c2c6e
SHA512454a97d5ce968a888739d06ec6c6ce3d300ab8652ab8afe1a3d4f6b382373a5fcd4bce4f4536ced35bfcf70e24d16e5f6f01300ce9caf3945383e75848e117bd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
918B
MD572726ba6bfd863d0449ca1e27a748dea
SHA185014e495090e503556b1229ef67b9610296af37
SHA2560d142071149151fe256ed12a4f924cbd2e6b29364e087ae78cc1fdcf14c002c5
SHA512e457a94ec6ad36d662bf618036e895bc619b49a2c6796462b0495548dcdef33755dc8d13d6cf08ff22ad27f5255fef1b8ee95de7a3ddc0b0c2614a33c31bc4c7
-
Filesize
32KB
MD5bef770535d2b98e4f24486a5292b16f0
SHA19107f8a6fa3cf0dc2b57e6c97c34c2aa7aaf54a6
SHA25637a4507cff4d8e1ffd01fbab23661cc28a6c024977ea912ce2f49419049d0bf2
SHA512faca2009e37eaf28a39f47c95b63892972583d79ed3d320d2ad81a4862371e0af0237a5675b5e66b10275692128ac488f8255d81b022fbe5dc825c42a5e9537d
-
Filesize
2KB
MD51777a1392599ee91f349c531085272e6
SHA18ea3b893f3d54ed0af575d3f84771a0ce3d01583
SHA256207c3bc6d3aefa28cc110c4e603b331e8cdb7eb154796cb75e399b11106e7030
SHA512ae9872388d6a71c6218e137dba03039fa777dac9e6d119c7cc244059403ccb4f72a1c13e4768593ef82d3d9ff934973b2ffc374cf23fd4ab1f4b4f7f0559786d
-
Filesize
29KB
MD5223b9d97f9bc580f7da1817ebf359223
SHA1091ff63c957787916d1aed9f358b4e921d5312b3
SHA256c90fea5a7efc0a4de0d37bd56b8552a42da2000ef7dc8e8487914c26117b232a
SHA512f79a8e6448ef94f37075612e086b70847c4f59524773a8370cb4361cebf4537dbe0c8cb981f5247682a9fc89af147360e76f386d0d9825dc20d58bca7f0d7158
-
Filesize
2KB
MD54fe0acbf9e356b80fcd82b142b0ebeac
SHA12a6727567b9302b90afa564cd6d0c23b94854229
SHA256bfaca1e75f265a3a16579b589f8247b51e0f6d98fb226f54eab01fe4e2370802
SHA512d33d1d82c2fa462ac69d8731a9e9d5d2da4eb2f90aedfad2d49b7a83e42f49974e2eb2f3fd0b1f671ec0475421c393b29dc32f0c3e217abebf70bae463761785
-
Filesize
2KB
MD58a5e7b67990447b0d82a944f23bd083d
SHA1c4bc4b61452bea9be840637aa591c81c21bb91b0
SHA256088ec55cacd34e911d09f25626eceb0f5c1985fae3b49c93aff56dd13bbc1abf
SHA5124cde5b92a3e6462c4be28e0210cfa85d2723797c1637dd27ca8223c3734285d80657964d2d5e65dc5ecdd97f1cffd667f392201a71e7eb284eb28048eb2848b9
-
Filesize
2KB
MD52bacbeaabaacc8b28a8f471201682da6
SHA14d0b733bc645836d225e5ef7742c50b5b0769802
SHA256b41faac8d5f62af0b93449f07db17da752f553bb963f9fd6d6ff601acdd9a1c2
SHA51284f2e0a6924e5671016027b1e798f9eb16962ef09de3fb63a4211a12a8c168cef21f6bcf43eb1993d041fe33960ff5685e8d2c8ea7f8870e8ed0ef0e6f3b5b78
-
Filesize
25KB
MD5cbe40fd2b1ec96daedc65da172d90022
SHA1366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA2563ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA51262990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63
-
Filesize
14KB
MD5c133aca05825e450a97e1cb474c80964
SHA185ac1b4250993c54c852af1eab1f05e9fcd6b327
SHA2567a7d812895c6c47474217f248d59464eb2a5f163599adf50595536bb9f41339e
SHA512e752b04a9a68b252c153dc128b111d555b8d2d33f639f0445ebc7bcfd8e741730bc7f02a38c96cb4516cd8944c038c74fead3000f3b7daff57742a394dcb36bb
-
Filesize
1KB
MD5de825a838e33ccf3d06b82de337c06d8
SHA168956e777f646361eae3f06ce6899cd48bb9f593
SHA2563b63b09dff7e4c5fe7ccafff74d9f845d1eb04809b0b77a536b2e4aa7dd1097e
SHA512e935ef759abfcafa4d9cf70a1c5508179600fc85d237e53d3e7f2683fa2e14859e5eee167007328995606996a19f4fcc0c1f9a851011a6fa8db6b53c68160a12
-
Filesize
1KB
MD5a52f3195b5585e1d9a9b38fef66a1801
SHA1986a5f05ff51d261fe595f0ab56598658aadc9c9
SHA25640795f603b2eab75fbd886715b0103f2f362494576400ae88925ed1ba7063bdc
SHA512e9eeb34c3667e56c425b91890f463b5d80e4e5e9f485c2bd3ac064e1784ad118c1460af461e5af8acbbb3bc02432e4f914e54e41d2bdaeaa8af528f0e669b64a
-
Filesize
22KB
MD5170c17ac80215d0a377b42557252ae10
SHA14cbab6cc189d02170dd3ba7c25aa492031679411
SHA25661ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d
SHA5120fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f
-
Filesize
300KB
MD5c01beb6c3526554ec9dfad40502317f2
SHA189f468496bd7e6d993a032f918c5baabb21c11be
SHA2565d54a5e7230baf2b80689ee49d263612a6011bc46ec52843e7b4297e9656d32d
SHA512a7fdb3d69cc2b12c9795c8f5e34f64014273e471dc0639ff4693f18e3d5ea758f38f58a5dfc4d1800511ce3e130a7454fd371579e31dbba049770fb74b889339
-
Filesize
19KB
MD5f020a8d9ede1fb2af3651ad6e0ac9cb1
SHA1341f9345d669432b2a51d107cbd101e8b82e37b1
SHA2567efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0
SHA512408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4
-
Filesize
568B
MD5cae757421db8d011e41266bfd9439885
SHA17108a9f0740ee4e3a118f6ac9212e0446f074181
SHA256ff350a68202aadb145f590c8579f9284d2e3c324b0369fde39e5a3a31d7b8204
SHA512785d19c796834065c823a7da99036378bba54b932ea1e47d4ba0c1d123a0a09ec307a3459fb862221de74ce61d9a8d7ec73901c9de007d31e7b39eb7a19b16b5
-
Filesize
624B
MD5c0e98c00336513acd39490e4d05ab8ec
SHA156d4140c68849fbd3e1edd296f0bbc29fb669901
SHA256f0539c2c8cbce6746d1bd3980f020a1414594246f84fb6383ef39775591aeb71
SHA5120b75de41aa5b5a030ca9b27039ffa19d368490e9a234712baccd182e85281eabf9141177cc8a8668f130b583e955930f3dee3bb3c035bb979bd2d121a63d54a7
-
Filesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8
-
Filesize
2KB
MD53dd16cbd205a93523b1e692863a4ef43
SHA10b3ad7597cdf3868968783e4d0dd53f7064a8581
SHA25626b2bcce404f79f26adf3886f3565a08390ec19635235729c8b164f71286057b
SHA51282e9d18b42fd5a66c0272f263ade9540872a67f92055624bd8632bc727dc2e69673f8dc58f45737bd53902969a119248e943bb543b311bb34e23bfa92666e966
-
Filesize
2KB
MD59e816d5bea7f140a72381500eb58d252
SHA111e20766ba5f72e18d59cc8750a705a0dd6b4978
SHA256e597825fa7a2dbd730cb1472de5655bf736e85a903724233c6900af7ee6624bc
SHA5128c04c06418070204c3c7e6fe05c5fbfd57e045c715bfd8cfab20acc710760aedd6d820c41a786952e5764ce2b4908cf898391b7368f3d498e44ea13eb71fbe92
-
Filesize
7KB
MD5dd4bc901ef817319791337fb345932e8
SHA1f8a3454a09d90a09273935020c1418fdb7b7eb7c
SHA2568e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71
SHA5120a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\AlternateServices.bin
Filesize8KB
MD57de6dc5796c7be55afe676fc0c7a2280
SHA1573c5e533c0456b9778c94d9316e725d24baf388
SHA256802a053ddbb42a25b4d60b885f3f52c9708ee970b55a8a11a500fdc72799f72f
SHA5120d4b242b1776216d094fddcf0768a4a0905bca13cce11d1a56144c19f9cb3c182999369239523d34eed497b6ea68e5876280675faf48796b1e535954810a41e5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD50b6822e86004328893a95bdb941e7478
SHA1d4eab2620b9a583a3133520d84c1b00c012286cc
SHA25609adbad86f61cbad6dba8e86e570ad5fde169ea4139fd26197638c1543276481
SHA512ca1b5607a6a5a5f7e7fb07d67b77a9e9e40de436fda0ddcf4cc987a6f426f7b02cc4df71b10688552730bf6d508bef6a6465865f8678434723ee4c5e553dd4ec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\391ce881-791e-4999-805a-44f4cc78c6ac
Filesize25KB
MD55745254426d7e097f5498d212aef67e9
SHA17281daaa20f8d75e8467935e0fb6616994c22580
SHA256db5e38e02807c8fc72820b4ccb3e49658e8ddf9235d2ad5348e3fc254ecb60d4
SHA512dd556679fb94d51d4c8fafebd717a5e2fee54399ebafd539b6ad026e1c4ea7bed859a59a936c4d53f7cb9363b2720c69957b9e6eb989ac45d175ee02e88826d5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\743bf3b6-8504-4f5a-97fe-33defdbd280b
Filesize671B
MD5ef14a15cc11e1254032fa7996bc2fe09
SHA1d56072fc4a972e24838ac1ecb09b90cf757e1470
SHA25623f6f8f93a89ebbbd1e47c59dbea1f609aed4c0ab7042989ce092e398feb24f9
SHA512caec13e06d468f0efb172777a25c629236ff3b1bacd4b2eff13bf9e1bb863dee9a70f9d48c18555768579061d591259ec32b6e7c08aab8ee7f0c0c303447b013
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\fdcf21a4-1ac5-40dc-8bbc-75bf688d6fca
Filesize982B
MD538ea4f14a892a23fc36c6d781b7d1a3d
SHA1f5ea05a0968095aba55115bd77afc26d81da3210
SHA256c23217fad9c74258ab3065d14726b5ad0b59ba01526e90a64fbd34f224c44318
SHA5124c99a93ba4554a59cb8ef893676bfbcd05134ffbcf86bdea4829a64c7c7a81e4a0b75a0cc42c78e3954fa3dd41ac8fe437d6b4bf53ad90404ef0c48b973d1b73
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD544013c50576d414767c75de9f1465559
SHA1502494629816ffad6b3605145a5b5673ef1cc538
SHA256c9378f29affa7054f90a3879cddfebdb5d42bbcc28d9911aa8e5418704a0c269
SHA512b39f5d4a6a66e5aa382cd794f8c70962773307e2a991db30aa4c52e718142a65e02e2349c74b7c8d82f2d27dbac9b49992e375c934e44d33dc764a89d4c6e459