Overview
overview
10Static
static
10virus/Froz...ED.exe
windows10-ltsc 2021-x64
10virus/Wire...64.exe
windows10-ltsc 2021-x64
9$PLUGINSDI...ns.dll
windows10-ltsc 2021-x64
3$PLUGINSDI...em.dll
windows10-ltsc 2021-x64
3Qt6Gui.dll
windows10-ltsc 2021-x64
1Qt6Network.dll
windows10-ltsc 2021-x64
1Qt6Svg.dll
windows10-ltsc 2021-x64
1USBPcapSet....0.exe
windows10-ltsc 2021-x64
8WinSparkle.dll
windows10-ltsc 2021-x64
1Wireshark.exe
windows10-ltsc 2021-x64
3brotlicommon.dll
windows10-ltsc 2021-x64
1bz2.dll
windows10-ltsc 2021-x64
1charset-1.dll
windows10-ltsc 2021-x64
1comerr64.dll
windows10-ltsc 2021-x64
1d3dcompiler_47.dll
windows10-ltsc 2021-x64
1snappy.dll
windows10-ltsc 2021-x64
1snmp/mibs/...IB.vbs
windows10-ltsc 2021-x64
1snmp/mibs/...IB.vbs
windows10-ltsc 2021-x64
1snmp/mibs/...IB.vbs
windows10-ltsc 2021-x64
1snmp/mibs/...IB.vbs
windows10-ltsc 2021-x64
1styles/qwi...le.dll
windows10-ltsc 2021-x64
1tls/qcerto...nd.dll
windows10-ltsc 2021-x64
1tls/qopens...nd.dll
windows10-ltsc 2021-x64
1tls/qschan...nd.dll
windows10-ltsc 2021-x64
1tshark.exe
windows10-ltsc 2021-x64
1tshark.html
windows10-ltsc 2021-x64
4vc_redist.x64.exe
windows10-ltsc 2021-x64
7wireshark-filter.html
windows10-ltsc 2021-x64
4wireshark.html
windows10-ltsc 2021-x64
4zlib-ng2.dll
windows10-ltsc 2021-x64
1zlib1.dll
windows10-ltsc 2021-x64
1zstd.dll
windows10-ltsc 2021-x64
1Analysis
-
max time kernel
350s -
max time network
354s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
11-12-2024 15:58
Behavioral task
behavioral1
Sample
virus/FrozenPerm_CRACKED.exe
Resource
win10ltsc2021-20241023-en
xmrigcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionminerpersistenceprivilege_escalationspywarestealerupx
windows10-ltsc 2021-x64
51 signatures
1800 seconds
Behavioral task
behavioral2
Sample
virus/Wireshark-4.4.2-x64.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
28 signatures
1800 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
3 signatures
1800 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
3 signatures
1800 seconds
Behavioral task
behavioral5
Sample
Qt6Gui.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral6
Sample
Qt6Network.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral7
Sample
Qt6Svg.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral8
Sample
USBPcapSetup-1.5.4.0.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
13 signatures
1800 seconds
Behavioral task
behavioral9
Sample
WinSparkle.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
1 signatures
1800 seconds
Behavioral task
behavioral10
Sample
Wireshark.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
6 signatures
1800 seconds
Behavioral task
behavioral11
Sample
brotlicommon.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral12
Sample
bz2.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral13
Sample
charset-1.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral14
Sample
comerr64.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral15
Sample
d3dcompiler_47.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral16
Sample
snappy.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral17
Sample
snmp/mibs/AGGREGATE-MIB.vbs
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral18
Sample
snmp/mibs/DISMAN-EVENT-MIB.vbs
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral19
Sample
snmp/mibs/DISMAN-EXPRESSION-MIB.vbs
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral20
Sample
snmp/mibs/FRAME-RELAY-DTE-MIB.vbs
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral21
Sample
styles/qwindowsvistastyle.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral22
Sample
tls/qcertonlybackend.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral23
Sample
tls/qopensslbackend.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral24
Sample
tls/qschannelbackend.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral25
Sample
tshark.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
2 signatures
1800 seconds
Behavioral task
behavioral26
Sample
tshark.html
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
10 signatures
1800 seconds
Behavioral task
behavioral27
Sample
vc_redist.x64.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
5 signatures
1800 seconds
Behavioral task
behavioral28
Sample
wireshark-filter.html
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
10 signatures
1800 seconds
Behavioral task
behavioral29
Sample
wireshark.html
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
10 signatures
1800 seconds
Behavioral task
behavioral30
Sample
zlib-ng2.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral31
Sample
zlib1.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral32
Sample
zstd.dll
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
General
-
Target
virus/Wireshark-4.4.2-x64.exe
-
Size
83.2MB
-
MD5
5753792c3617a96786bf3df591ffafdf
-
SHA1
20a4304ff7153e38f07121a76a59f442b369cd42
-
SHA256
69a7f6e94e3744422efbb83528d42dd3ee19c12e253db040c33b75453152dce2
-
SHA512
68d3504b7c561bd9909ecf593b88fb5faf44951a50dc18dc5926241a5502201ee3a5111a2ce018871bdb0cc24f25d7c8057faf5b98e005a067a057b35d2188b3
-
SSDEEP
1572864:JEgr3yLzlPfF5kO8l0/z75q5V9STIO1xOi3QOExUmdeiS3Gl1dN2Ohge1n+pB:JJ3WQPC7g0LOHl/LnrdNpbOB
Score
9/10
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
pid Process 1204 powershell.exe 3248 powershell.exe 4412 powershell.exe 416 powershell.exe 4272 powershell.exe 456 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET74B.tmp NPFInstall.exe File created C:\Windows\system32\DRIVERS\SET74B.tmp NPFInstall.exe File opened for modification C:\Windows\system32\DRIVERS\npcap.sys NPFInstall.exe -
Manipulates Digital Signatures 1 TTPs 8 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3\Blob = 03000000010000001400000060ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e32000000001000000c0060000308206bc308205a4a003020102021003f1b4e15f3a82f1149678b3d7d8475c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3132303431383132303030305a170d3237303431383132303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e672043412028534841322930820122300d06092a864886f70d01010105000382010f003082010a0282010100a753fa0fb2b513f164cf8480fcae8035d1b6d7c7a32cac1a2cacf184ac3a35123a9291ba57e4c4c9f32fa8483cb7d66edc9722ba517961af432f0db79bb44931ae44583ea4a196a7874f237ec36c652490553ea1ca237cc542e9c47a62459b7dde6374cb9e6325f8849a9aad454fae7d1fc813cb759bc9e1e18af80b0c98f4ca3ed045aa7a1ea558933634be2b2e2b315866b432109f9df052a1efe83ed376f2405adcfa6a3d1b4bad76b08c5cee36ba83ea30a84cdef10b2a584188ae0089ab03d11682202276eb5e54381262e1d27024dbed1f70d26409802de2b69dce1ff2bb21f36cdbd8b3197b8a509fefec360a5c9ab74ad308a03979fdddbf3d3a09250203010001a38203583082035430120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307f06082b0601050507010104733071302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304906082b06010505073002863d687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63727430818f0603551d1f0481873081843040a03ea03c863a687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c3040a03ea03c863a687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0302308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e301d0603551d0e041604148fe87ef06d326a000523c770976a3a90ff6bead4301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d01010b0500038201010019334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480 certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\Blob = 0300000001000000140000003ba63a6e4841355772debef9cdcf4d5af353a2972000000001000000350500003082053130820419a00302010202100aa125d6d6321b7e41e405da3697c215300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3136303130373132303030305a170d3331303130373132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd032ee4bcd8f7fdda9ba8299c539542857b6234ac40e07453351107dd0f97d4d687ee7b6a0f48db388e497bf63219098bf13bc57d3c3e17e08d66a140038f72e1e3beecca6f63259fe5f653fe09bebe34647061a557e0b277ec0a2f5a0e0de223f0eff7e95fbf3a3ba223e18ac11e4f099036d3b857c09d3ee5dc89a0b54e3a809716be0cf22100f75cf71724e0aaddf403a5cb751e1a17914c64d2423305dbcec3c606aac2f07ccfdf0ea47d988505efd666e56612729898451e682e74650fd942a2ca7e4753eba980f847f9f3114d6add5f264cb7b1e05d084197217f11706ef3dcdd64def0642fda2532a4f851dc41d3cafcfdaac10f5ddacace956ff930203010001a38201ce308201ca301d0603551d0e04160414f4b6e1201dfe29aed2e461a5b2a225b2c817356e301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f30120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070308307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c30500603551d20044930473038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c0701300d06092a864886f70d01010b05000382010100719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52 certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3\Blob = 030000000100000014000000e1d782a8e191beef6bca1691b5aab494a6249bf3200000000100000002050000308204fe308203e6a00302010202100d424ae0be3a88ff604021ce1400f0dd300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e67204341301e170d3231303130313030303030305a170d3331303130363030303030305a3048310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3120301e0603550403131744696769436572742054696d657374616d70203230323130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2e6618467c58af50d08a445ca636b51d73a1142bd0a75754d94b40c50b52610fe1dc86f916b0c96e71a5c48ef44e5bf9b61cd1591625ab8ff670b9c63fd366a81fa29f8dd2b7085de0218f3786dbc7df9c76d093dbe6a7687e98abdf8845d1e76c9e4c676763a53d1d1d35a368fc6a3e12f1b3ab761d673ec4e6d338a7c5d452d4bb150e6413a375686dc93238df75025e864e6ddd38f2f57b58720eb0e8e2cd523daf44d7846e3038331294a5c0c318a4a8c88c5f7305af914af155f6c434909fd262353f68d63e81aab5bb11d30c29b6982b4dbfc5654bc1fa187abbe7a5b0a202f4b09c995a78db2fad6638b4ea5721cee9f7a0173f819d6fe0d4984bd010203010001a38201b8308201b4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830410603551d20043a3038303606096086480186fd6c07013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053301f0603551d23041830168014f4b6e1201dfe29aed2e461a5b2a225b2c817356e301d0603551d0e041604143644868ea4bab066bebc282d1d4436dde36a7abc30710603551d1f046a30683032a030a02e862c687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c3032a030a02e862c687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c30818506082b0601050507010104793077302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304f06082b060105050730028643687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572745348413241737375726564494454696d657374616d70696e6743412e637274300d06092a864886f70d01010b05000382010100481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C0D087ECDCC76D1084ABE00F1FEE5040400AE37\Blob = 0300000001000000140000003c0d087ecdcc76d1084abe00f1fee5040400ae372000000001000000c6050000308205c2308204aaa00302010202100aa60783ebb5076ebc2d12da9b04c290300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3231303530353030303030305a170d3234303631303233353935395a3081d2311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a6ec814ee2c7075e2e29ac7ebd10b6188055929370a213b83fb6e337d82ed0756d15e267f6bc645e6db5bb1d586ef1098ead1595147d03897af04b666aa5a50def2b3af23974896c6fb4f5246baf3ec374dbfd90eeec7575ffb11a6efea7a0d7da0adb04eaf000b1ad520d9e9529b2a8cf420998d4c7a46c1f95e405e35f69ad8c05d62df0f9745017a6284134afba26f905d900da1c412200e6ca5c6b148f3f785aa0ebe35ea9160644bd6924b54625eb404ab39db981f6b216b6dd960930a1443b26aab08cdbcf1c5fd74dbb56c3e9df791f8429401dee5869e90c39f95000fc616b5ac8396b588e24407235ea074328c608112f6cb4f07347cd4d28d28ab90203010001a38201f7308201f3301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e04160414c5b210483c7598f90d32838cd0763d3cd85fef5130350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304a0603551d2004433041303606096086480186fd6c03023029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008b2182887ada0e08e4afe89019ded16e88ff6ff1b12fd9b2994b945b8c76c63862ae35a1751672c474c8575a039250105e346bb7ce7ae1f2494e760de418b9453f1bbac9255b0dccafd296adb3cdb49d46d54c3413bfc34a3e640e244da7b1e1dbd1b04cea414ff64fe57f0ef28944a42e41065548e4834f2b05d4aae8516a1f154c5b09af25fe059a69a7dc75a7deb4cf3068c402614ece0509edf02b0968b5c8d1081cdafcfba3b7c1599256e6685ef7391f46746eaf829bc8fd40f55be70a3fc51142648b78a903e750158328cb80d54aaddce82df8fe983b0e36af4dafbdbdffe8896bee9a93c370e77f735fe9c42fc2259a3e5672e9f75f37ecf7104e53 certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9\Blob = 0300000001000000140000004ce89794fe2d2f7e30121f10bcf76ac3ccf77ca92000000001000000c7050000308205c3308204aba003020102021009256314069e7e6a88cb823075c0d9c9300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3230303530313030303030305a170d3231303530373132303030305a3081d231133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a88cd713346c50a5cd2a62900419f091330f9820b73b38785a8b5a25ceda8e11b71b2d11ff4b0c18cad405a2a195a6462619fa3ddf6d14466a350d1cf1c6ad48cce166fe6011a62ee62751046dd264b1cc145c4a4354537cec1ae615b6b8566a28ddf3b510fee92023dbe4190b44bb4174f94c4ec62256bd4aa5ba541ee833388db8cc411365e094ee6314eaff59ca6659bb6388300e7ffbd0f8b299889b8e3ea526f8ca926ded79eac89a6b068757ae428022e2602ec98babf5998216b0c28a709129a1300872878d9971e3130826a7d1ce894fe649a017003f07ee3c53ca0cba998fab097e573723fbd3e0ea1b742dd6d076b4c2284b93500021a7d27109630203010001a38201f8308201f4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604140a9c208099309acdddf9c9909a03890dcd30c8ea30350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010042368fc33025a2a1338cf35a08d00e263958f825e79b6d3af23e0e4e4cf59bc8502022d452cbba14a53274e3a12a5b01f4aee16abfcb1b28d63484a0ae1995c9759c6f0970254da8902fb479f5f7869a566aa285f2c28e50096dfd2e14a9ecf0000963c570d2338def108dfe66b1e44d22182826749871a7f3977eba4976910f1f0de866fc75b918c1a9f466fcf96ae90df932071b9c770f0f3193f8ca500abe52cc316549403a5ca5b5422d1ebffffc3cbe3b926de552f493b53c6570fdd0736550f080c2db204b03bc00ff724241581b5dfb0dff7b8f2cc28f136c19cca8bd4b3c3d81404e69f4598e7b5458e41c6f2e6622a212d28c2615565782a1f66987 certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{77169412-f642-45e7-b533-0c6f48de12f9} = "\"C:\\ProgramData\\Package Cache\\{77169412-f642-45e7-b533-0c6f48de12f9}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation vc_redist.x64.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140cht.dll msiexec.exe File created C:\Windows\system32\mfc140chs.dll msiexec.exe File created C:\Windows\system32\Npcap\wpcap.dll npcap-1.79.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16652bda-7b88-324c-bbd2-5e44712d66b4}\NPCAP.inf DrvInst.exe File opened for modification C:\Windows\system32\msvcp140.dll msiexec.exe File created C:\Windows\system32\msvcp140_2.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF NPFInstall.exe File opened for modification C:\Windows\system32\mfc140kor.dll msiexec.exe File created C:\Windows\system32\Npcap\NpcapHelper.exe npcap-1.79.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\NPCAP.inf DrvInst.exe File opened for modification C:\Windows\system32\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140jpn.dll msiexec.exe File created C:\Windows\system32\concrt140.dll msiexec.exe File created C:\Windows\system32\msvcp140.dll msiexec.exe File created C:\Windows\system32\mfc140ita.dll msiexec.exe File created C:\Windows\system32\mfc140kor.dll msiexec.exe File created C:\Windows\system32\Npcap\Packet.dll npcap-1.79.exe File opened for modification C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\system32\vcamp140.dll msiexec.exe File created C:\Windows\system32\vcruntime140_threads.dll msiexec.exe File created C:\Windows\system32\mfc140fra.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF NPFInstall.exe File created C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF NPFInstall.exe File opened for modification C:\Windows\system32\msvcp140_1.dll msiexec.exe File created C:\Windows\system32\vcruntime140_1.dll msiexec.exe File created C:\Windows\system32\msvcp140_1.dll msiexec.exe File created C:\Windows\system32\mfc140cht.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16652bda-7b88-324c-bbd2-5e44712d66b4}\SET47C.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16652bda-7b88-324c-bbd2-5e44712d66b4}\npcap.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.cat DrvInst.exe File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\system32\mfc140jpn.dll msiexec.exe File created C:\Windows\system32\mfc140u.dll msiexec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16652bda-7b88-324c-bbd2-5e44712d66b4} DrvInst.exe File created C:\Windows\system32\vcamp140.dll msiexec.exe File created C:\Windows\system32\mfc140esn.dll msiexec.exe File created C:\Windows\SysWOW64\Npcap\Packet.dll npcap-1.79.exe File created C:\Windows\system32\Npcap\WlanHelper.exe npcap-1.79.exe File created C:\Windows\System32\DriverStore\Temp\{16652bda-7b88-324c-bbd2-5e44712d66b4}\SET47C.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16652bda-7b88-324c-bbd2-5e44712d66b4}\npcap.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\system32\mfc140deu.dll msiexec.exe File created C:\Windows\system32\mfcm140.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140_1.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140rus.dll msiexec.exe File created C:\Windows\system32\mfc140rus.dll msiexec.exe File created C:\Windows\system32\vccorlib140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140esn.dll msiexec.exe File created C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140deu.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140enu.dll msiexec.exe File created C:\Windows\SysWOW64\Npcap\wpcap.dll npcap-1.79.exe File created C:\Windows\System32\DriverStore\Temp\{16652bda-7b88-324c-bbd2-5e44712d66b4}\SET47D.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{16652bda-7b88-324c-bbd2-5e44712d66b4}\SET48E.tmp DrvInst.exe File opened for modification C:\Windows\system32\concrt140.dll msiexec.exe File opened for modification C:\Windows\system32\vcomp140.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF NPFInstall.exe File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF NPFInstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{16652bda-7b88-324c-bbd2-5e44712d66b4}\SET47D.tmp DrvInst.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Wireshark\snmp\mibs\CLNS-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\DISMAN-PING-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\FLOW-METER-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\SOFTWIRE-MESH-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\RSVP-PCC-PIB-orig Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\k5sprt64.dll Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.fortinet Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.navini Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\ietf-netconf-acm.yang Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChBuildInstallWinBuild.html Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\toolbar\x-capture-file-close.png Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\ietf-snmp-tls.yang Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.citrix Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.purewave Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\DNS-SERVER-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\cfilters Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\CIRCUIT-IF-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\EFM-CU-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\PerfHist-TC-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChCapInterfaceSection.html Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChWorkFilterAddExpressionSection.html Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-expert-information.png Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-pref-statistics.png Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.unisphere Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\ADSL-LINE-EXT-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\IPSEC-SPD-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChStatHTTP2.html Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.localweb Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\MAU-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\SNMPv2-TC Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\RFC1316-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\SNA-NAU-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\translations\qt_pt_BR.qm Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\plugins\4.4\epan\opcua.dll Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\MPLS-LDP-STD-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\IPS-AUTH-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\RFC1381-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\AppToolsrawshark.html Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.lantronix Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.sonicwall Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\imageformats\qsvg.dll Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChWorkShiftTimePacketSection.html Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-stats-conversations.png Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\toolbar\filter-toolbar-bookmark.png Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.bt Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\DS0BUNDLE-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChCapCompiledFilterOutputSection.html Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\NHDP-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\[email protected] Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-capture-options.png Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\toolbar\x-capture-options.png Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.alvarion Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.surfnet Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\DOCS-IETF-CABLE-DEVICE-NOTIFICATION-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-tools-menu.png Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\HC-ALARM-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChUseStatusbarSection.html Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChWorkBuildDisplayFilterSection.html Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\snmp\mibs\IPV6-ICMP-MIB Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\ChTelRTP.html Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-coloring-fields.png Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-wireless-menu.png Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\radius\dictionary.alvarion.wimax.v2_2 Wireshark-4.4.2-x64.exe File created C:\Program Files\Wireshark\plugins\4.4\epan\ethercat.dll Wireshark-4.4.2-x64.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem3.PNF NPFInstall.exe File opened for modification C:\Windows\Installer\e5b9ae5.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9C3C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9ECE.tmp msiexec.exe File created C:\Windows\Installer\e5b9ae5.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\Installer\SourceHash{560D2DA4-096E-4868-B22A-DA6418FDE6FB} msiexec.exe File created C:\Windows\Installer\e5b9af7.msi msiexec.exe File opened for modification C:\Windows\Installer\e5b9af8.msi msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\Installer\e5b9b0d.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log NPFInstall.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e5b9af8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA363.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{5904914B-9FC8-44C2-AE48-5C7F30A603EC} msiexec.exe File opened for modification C:\Windows\Installer\MSIA577.tmp msiexec.exe -
Executes dropped EXE 16 IoCs
pid Process 4560 vc_redist.x64.exe 1632 vc_redist.x64.exe 3920 VC_redist.x64.exe 2712 npcap-1.79.exe 892 NPFInstall.exe 3888 NPFInstall.exe 1132 NPFInstall.exe 4092 NPFInstall.exe 3740 Wireshark.exe 3088 etwdump.exe 4660 etwdump.exe 4424 dumpcap.exe 3192 etwdump.exe 1280 dumpcap.exe 2108 dumpcap.exe 1064 dumpcap.exe -
Loads dropped DLL 64 IoCs
pid Process 3692 Wireshark-4.4.2-x64.exe 3692 Wireshark-4.4.2-x64.exe 3692 Wireshark-4.4.2-x64.exe 3692 Wireshark-4.4.2-x64.exe 3692 Wireshark-4.4.2-x64.exe 3692 Wireshark-4.4.2-x64.exe 3692 Wireshark-4.4.2-x64.exe 3692 Wireshark-4.4.2-x64.exe 1632 vc_redist.x64.exe 1296 VC_redist.x64.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 2712 npcap-1.79.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe 3740 Wireshark.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Wireshark-4.4.2-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npcap-1.79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks SCSI registry key(s) 3 TTPs 43 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 NPFInstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 NPFInstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 NPFInstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 NPFInstall.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008b4330a7ef31bdc60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008b4330a70000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008b4330a7000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8b4330a7000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008b4330a700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A NPFInstall.exe -
Checks processor information in registry 2 TTPs 35 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Wireshark.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Wireshark.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Wireshark.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Wireshark.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Wireshark.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Wireshark.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 dumpcap.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString dumpcap.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Wireshark.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 dumpcap.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dumpcap.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dumpcap.exe -
Modifies data under HKEY_USERS 59 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AD2D065E69086842BA2AD4681DF6EBF\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33816" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B41940958CF92C44EA84C5F7036A30CE\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{5904914B-9FC8-44C2-AE48-5C7F30A603EC}v14.40.33816\\packages\\vcRuntimeAdditional_amd64\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file Wireshark-4.4.2-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 VC_redist.x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pcapng\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tr1\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AD2D065E69086842BA2AD4681DF6EBF\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open\command\ = "\"C:\\Program Files\\Wireshark\\Wireshark.exe\" \"%1\"" Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fdc\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pcap Wireshark-4.4.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.scap Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tpc\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wpc\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AD2D065E69086842BA2AD4681DF6EBF\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B41940958CF92C44EA84C5F7036A30CE\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14 VC_redist.x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.trc Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scap\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B41940958CF92C44EA84C5F7036A30CE\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.apc Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.erf\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AD2D065E69086842BA2AD4681DF6EBF\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open\command Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pcap\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vwr\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.acp\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.out Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.trc\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4AD2D065E69086842BA2AD4681DF6EBF\Provider msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AD2D065E69086842BA2AD4681DF6EBF msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B41940958CF92C44EA84C5F7036A30CE\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vwr Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wpz\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\ = "{77169412-f642-45e7-b533-0c6f48de12f9}" VC_redist.x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B41940958CF92C44EA84C5F7036A30CE\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B41940958CF92C44EA84C5F7036A30CE\Version = "237536280" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ems\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rtp Wireshark-4.4.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tpc Wireshark-4.4.2-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\4AD2D065E69086842BA2AD4681DF6EBF msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\DefaultIcon Wireshark-4.4.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5vw Wireshark-4.4.2-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.acp Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AD2D065E69086842BA2AD4681DF6EBF\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{560D2DA4-096E-4868-B22A-DA6418FDE6FB}v14.40.33816\\packages\\vcRuntimeMinimum_amd64\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pklg\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.trace\ = "wireshark-capture-file" Wireshark-4.4.2-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AD2D065E69086842BA2AD4681DF6EBF\Version = "237536280" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{5904914B-9FC8-44C2-AE48-5C7F30A603EC}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B41940958CF92C44EA84C5F7036A30CE\Provider msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.atc Wireshark-4.4.2-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.40.33816" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AD2D065E69086842BA2AD4681DF6EBF\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AD2D065E69086842BA2AD4681DF6EBF\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B41940958CF92C44EA84C5F7036A30CE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B41940958CF92C44EA84C5F7036A30CE\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pkt Wireshark-4.4.2-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B41940958CF92C44EA84C5F7036A30CE msiexec.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3740 Wireshark.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1032 msiexec.exe 1032 msiexec.exe 1032 msiexec.exe 1032 msiexec.exe 1032 msiexec.exe 1032 msiexec.exe 1032 msiexec.exe 1032 msiexec.exe 892 NPFInstall.exe 892 NPFInstall.exe 456 powershell.exe 456 powershell.exe 1204 powershell.exe 1204 powershell.exe 3248 powershell.exe 3248 powershell.exe 4412 powershell.exe 4412 powershell.exe 416 powershell.exe 416 powershell.exe 4272 powershell.exe 4272 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3740 Wireshark.exe -
Suspicious behavior: LoadsDriver 5 IoCs
pid Process 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 3400 vssvc.exe Token: SeRestorePrivilege 3400 vssvc.exe Token: SeAuditPrivilege 3400 vssvc.exe Token: SeShutdownPrivilege 3920 VC_redist.x64.exe Token: SeIncreaseQuotaPrivilege 3920 VC_redist.x64.exe Token: SeSecurityPrivilege 1032 msiexec.exe Token: SeCreateTokenPrivilege 3920 VC_redist.x64.exe Token: SeAssignPrimaryTokenPrivilege 3920 VC_redist.x64.exe Token: SeLockMemoryPrivilege 3920 VC_redist.x64.exe Token: SeIncreaseQuotaPrivilege 3920 VC_redist.x64.exe Token: SeMachineAccountPrivilege 3920 VC_redist.x64.exe Token: SeTcbPrivilege 3920 VC_redist.x64.exe Token: SeSecurityPrivilege 3920 VC_redist.x64.exe Token: SeTakeOwnershipPrivilege 3920 VC_redist.x64.exe Token: SeLoadDriverPrivilege 3920 VC_redist.x64.exe Token: SeSystemProfilePrivilege 3920 VC_redist.x64.exe Token: SeSystemtimePrivilege 3920 VC_redist.x64.exe Token: SeProfSingleProcessPrivilege 3920 VC_redist.x64.exe Token: SeIncBasePriorityPrivilege 3920 VC_redist.x64.exe Token: SeCreatePagefilePrivilege 3920 VC_redist.x64.exe Token: SeCreatePermanentPrivilege 3920 VC_redist.x64.exe Token: SeBackupPrivilege 3920 VC_redist.x64.exe Token: SeRestorePrivilege 3920 VC_redist.x64.exe Token: SeShutdownPrivilege 3920 VC_redist.x64.exe Token: SeDebugPrivilege 3920 VC_redist.x64.exe Token: SeAuditPrivilege 3920 VC_redist.x64.exe Token: SeSystemEnvironmentPrivilege 3920 VC_redist.x64.exe Token: SeChangeNotifyPrivilege 3920 VC_redist.x64.exe Token: SeRemoteShutdownPrivilege 3920 VC_redist.x64.exe Token: SeUndockPrivilege 3920 VC_redist.x64.exe Token: SeSyncAgentPrivilege 3920 VC_redist.x64.exe Token: SeEnableDelegationPrivilege 3920 VC_redist.x64.exe Token: SeManageVolumePrivilege 3920 VC_redist.x64.exe Token: SeImpersonatePrivilege 3920 VC_redist.x64.exe Token: SeCreateGlobalPrivilege 3920 VC_redist.x64.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3740 Wireshark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3692 wrote to memory of 4560 3692 Wireshark-4.4.2-x64.exe 87 PID 3692 wrote to memory of 4560 3692 Wireshark-4.4.2-x64.exe 87 PID 3692 wrote to memory of 4560 3692 Wireshark-4.4.2-x64.exe 87 PID 4560 wrote to memory of 1632 4560 vc_redist.x64.exe 88 PID 4560 wrote to memory of 1632 4560 vc_redist.x64.exe 88 PID 4560 wrote to memory of 1632 4560 vc_redist.x64.exe 88 PID 1632 wrote to memory of 3920 1632 vc_redist.x64.exe 89 PID 1632 wrote to memory of 3920 1632 vc_redist.x64.exe 89 PID 1632 wrote to memory of 3920 1632 vc_redist.x64.exe 89 PID 3920 wrote to memory of 4596 3920 VC_redist.x64.exe 98 PID 3920 wrote to memory of 4596 3920 VC_redist.x64.exe 98 PID 3920 wrote to memory of 4596 3920 VC_redist.x64.exe 98 PID 4596 wrote to memory of 1296 4596 VC_redist.x64.exe 99 PID 4596 wrote to memory of 1296 4596 VC_redist.x64.exe 99 PID 4596 wrote to memory of 1296 4596 VC_redist.x64.exe 99 PID 1296 wrote to memory of 4644 1296 VC_redist.x64.exe 100 PID 1296 wrote to memory of 4644 1296 VC_redist.x64.exe 100 PID 1296 wrote to memory of 4644 1296 VC_redist.x64.exe 100 PID 3692 wrote to memory of 2712 3692 Wireshark-4.4.2-x64.exe 101 PID 3692 wrote to memory of 2712 3692 Wireshark-4.4.2-x64.exe 101 PID 3692 wrote to memory of 2712 3692 Wireshark-4.4.2-x64.exe 101 PID 2712 wrote to memory of 892 2712 npcap-1.79.exe 102 PID 2712 wrote to memory of 892 2712 npcap-1.79.exe 102 PID 2712 wrote to memory of 456 2712 npcap-1.79.exe 104 PID 2712 wrote to memory of 456 2712 npcap-1.79.exe 104 PID 2712 wrote to memory of 456 2712 npcap-1.79.exe 104 PID 2712 wrote to memory of 1204 2712 npcap-1.79.exe 106 PID 2712 wrote to memory of 1204 2712 npcap-1.79.exe 106 PID 2712 wrote to memory of 1204 2712 npcap-1.79.exe 106 PID 1204 wrote to memory of 3848 1204 powershell.exe 108 PID 1204 wrote to memory of 3848 1204 powershell.exe 108 PID 1204 wrote to memory of 3848 1204 powershell.exe 108 PID 2712 wrote to memory of 3008 2712 npcap-1.79.exe 109 PID 2712 wrote to memory of 3008 2712 npcap-1.79.exe 109 PID 2712 wrote to memory of 3008 2712 npcap-1.79.exe 109 PID 2712 wrote to memory of 2020 2712 npcap-1.79.exe 111 PID 2712 wrote to memory of 2020 2712 npcap-1.79.exe 111 PID 2712 wrote to memory of 2020 2712 npcap-1.79.exe 111 PID 2712 wrote to memory of 3248 2712 npcap-1.79.exe 113 PID 2712 wrote to memory of 3248 2712 npcap-1.79.exe 113 PID 2712 wrote to memory of 3248 2712 npcap-1.79.exe 113 PID 2712 wrote to memory of 4412 2712 npcap-1.79.exe 115 PID 2712 wrote to memory of 4412 2712 npcap-1.79.exe 115 PID 2712 wrote to memory of 4412 2712 npcap-1.79.exe 115 PID 2712 wrote to memory of 1164 2712 npcap-1.79.exe 117 PID 2712 wrote to memory of 1164 2712 npcap-1.79.exe 117 PID 2712 wrote to memory of 1164 2712 npcap-1.79.exe 117 PID 2712 wrote to memory of 2836 2712 npcap-1.79.exe 119 PID 2712 wrote to memory of 2836 2712 npcap-1.79.exe 119 PID 2712 wrote to memory of 2836 2712 npcap-1.79.exe 119 PID 2712 wrote to memory of 4656 2712 npcap-1.79.exe 121 PID 2712 wrote to memory of 4656 2712 npcap-1.79.exe 121 PID 2712 wrote to memory of 4656 2712 npcap-1.79.exe 121 PID 2712 wrote to memory of 3888 2712 npcap-1.79.exe 123 PID 2712 wrote to memory of 3888 2712 npcap-1.79.exe 123 PID 3888 wrote to memory of 4720 3888 NPFInstall.exe 125 PID 3888 wrote to memory of 4720 3888 NPFInstall.exe 125 PID 2712 wrote to memory of 1132 2712 npcap-1.79.exe 127 PID 2712 wrote to memory of 1132 2712 npcap-1.79.exe 127 PID 2712 wrote to memory of 4092 2712 npcap-1.79.exe 129 PID 2712 wrote to memory of 4092 2712 npcap-1.79.exe 129 PID 1828 wrote to memory of 4344 1828 svchost.exe 133 PID 1828 wrote to memory of 4344 1828 svchost.exe 133 PID 2712 wrote to memory of 416 2712 npcap-1.79.exe 134 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\virus\Wireshark-4.4.2-x64.exe"C:\Users\Admin\AppData\Local\Temp\virus\Wireshark-4.4.2-x64.exe"1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Program Files\Wireshark\vc_redist.x64.exe"C:\Program Files\Wireshark\vc_redist.x64.exe" /install /quiet /norestart2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\Temp\{F3FB4132-5560-4563-91F2-BE63D4709723}\.cr\vc_redist.x64.exe"C:\Windows\Temp\{F3FB4132-5560-4563-91F2-BE63D4709723}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\Wireshark\vc_redist.x64.exe" -burn.filehandle.attached=556 -burn.filehandle.self=692 /install /quiet /norestart3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\Temp\{8918A7E6-B342-4D01-B41D-3D81C3D7368E}\.be\VC_redist.x64.exe"C:\Windows\Temp\{8918A7E6-B342-4D01-B41D-3D81C3D7368E}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{1139B49F-4C3D-46DB-AB67-C1D1C2210742} {7CCF75F8-A657-4ADD-948E-46BDE2982FBE} 16324⤵
- Adds Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={77169412-f642-45e7-b533-0c6f48de12f9} -burn.filehandle.self=1020 -burn.embedded BurnPipe.{925D43F7-B619-498D-A743-CFAC1761D451} {5222425B-8149-412A-B1C8-6A9B6DDF0750} 39205⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 -uninstall -quiet -burn.related.upgrade -burn.ancestors={77169412-f642-45e7-b533-0c6f48de12f9} -burn.filehandle.self=1020 -burn.embedded BurnPipe.{925D43F7-B619-498D-A743-CFAC1761D451} {5222425B-8149-412A-B1C8-6A9B6DDF0750} 39206⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{1D4A2DCB-CB9B-4F0F-8F04-F8982EF27B56} {B2B9DB57-1C48-47B3-A24B-F6A88DBF6E3F} 12967⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4644
-
-
-
-
-
-
-
C:\Program Files\Wireshark\npcap-1.79.exe"C:\Program Files\Wireshark\npcap-1.79.exe" /winpcap_mode=no /loopback_support=no2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\nseAE8E.tmp\NPFInstall.exe"C:\Users\Admin\AppData\Local\Temp\nseAE8E.tmp\NPFInstall.exe" -n -check_dll3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:892
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:456
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43){certutil.exe -verifystore 'Root' '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43}}"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -verifystore Root 0563b8630d62d75abbc8ab1e4bdfb5a899b24d434⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
PID:3848
-
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -verifystore "Root" "0563b8630d62d75abbc8ab1e4bdfb5a899b24d43"3⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nseAE8E.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst"3⤵
- System Location Discovery: System Language Discovery
PID:2020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3248
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25){certutil.exe -verifystore 'Root' '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25}}"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4412
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -verifystore "Root" "5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25"3⤵
- System Location Discovery: System Language Discovery
PID:1164
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nseAE8E.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst"3⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nseAE8E.tmp\signing.p7b"3⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
PID:4656
-
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -c3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SYSTEM32\pnputil.exepnputil.exe -e4⤵PID:4720
-
-
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -iw3⤵
- Executes dropped EXE
PID:1132
-
-
C:\Program Files\Npcap\NPFInstall.exe"C:\Program Files\Npcap\NPFInstall.exe" -n -i3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4092
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:416
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4272
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:41⤵PID:776
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7f990359-e6cb-8a42-8bd5-cd602cd74f19}\NPCAP.inf" "9" "405306be3" "00000000000001CC" "WinSta0\Default" "00000000000001DC" "208" "C:\Program Files\Npcap"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4344
-
-
C:\Program Files\Wireshark\Wireshark.exe"C:\Program Files\Wireshark\Wireshark.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3740 -
C:\Program Files\Wireshark\extcap\etwdump.exe"C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-interfaces --extcap-version=4.42⤵
- Executes dropped EXE
PID:3088
-
-
C:\Program Files\Wireshark\extcap\etwdump.exe"C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-config --extcap-interface etwdump2⤵
- Executes dropped EXE
PID:4660
-
-
C:\Program Files\Wireshark\dumpcap.exe"C:\Program Files\Wireshark\dumpcap.exe" --log-level MESSAGE -S -D -L --signal-pipe 3740.dummy -Z 19042⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4424
-
-
C:\Program Files\Wireshark\extcap\etwdump.exe"C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-dlts --extcap-interface etwdump2⤵
- Executes dropped EXE
PID:3192
-
-
C:\Program Files\Wireshark\dumpcap.exe"C:\Program Files\Wireshark\dumpcap.exe" --log-level MESSAGE -S --signal-pipe 3740.dummy -Z 28402⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1280
-
-
C:\Program Files\Wireshark\dumpcap.exe"C:\Program Files\Wireshark\dumpcap.exe" --log-level MESSAGE -F pcapng -i \Device\NPF_Loopback --ifdescr "Adapter for loopback traffic capture" --signal-pipe 3740 -Z 28362⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2108
-
-
C:\Program Files\Wireshark\dumpcap.exe"C:\Program Files\Wireshark\dumpcap.exe" --log-level MESSAGE -S --signal-pipe 3740.dummy -Z 28362⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1064
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:1132
-
C:\Windows\system32\net.exenet start npcap2⤵PID:3360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start npcap3⤵PID:4948
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD50631387a370569791b5093c7d71cae22
SHA1112f2161b882477c1f47ddd9af7636ec79f4308b
SHA25605ba7c0b9307598fe86369a9e8a77d20eb522734655cac841b3334cb09251fa4
SHA5129d985aa25d296d408699c7c163d2ae12625736dbac4b44eea750f36d29d184aaa137eb8fbf4964204fa4cc62a583e57788864e2aec4c9b85e8802350a17e89c3
-
Filesize
19KB
MD5a908386570a252d8b898bedf2e19e938
SHA1bdf95b0b2db7dc5192d13a8eda3eda1c80c4305f
SHA256a9a55a4eb1c6c52c4dbb325bf259b4817a4bf7c881920b464cb2fc48d37c6fff
SHA512b59425ced38d8d718274e6cb27ec6da2be29e2e5a8cd79c72c46ab4a7e642b3c9f56e9ff1c3da65db77fefcfb8c055bdca68b119024dbbac6aa00e5d8182ebd8
-
Filesize
21KB
MD5f0f6134a13ab1056cb337d20a9a355cf
SHA15c2581d7376a9c0a87672aaaa1ad955c6b49da4d
SHA256f9f1364cfa3573dc2dd6c0f241429679b4112f0c14dd7ee4c13d4bd5621af14e
SHA512ec654291729ecc8b891215241e489d26bcf0f2143481bf3da0f8e782074c546419f27f4ab225b6c5e98584c718b7d282d3a81f5a8ae635cbbf68e1647e834f66
-
Filesize
21KB
MD549a97b76d2cdc553bccd332a7d011b3b
SHA16f1d148b461853e66cfd29bfd8396b9425b461cf
SHA2563d5758a95f33aabd3d7c2480d0ce3fd8d2485d5068d445383cdeb0df1d18dc88
SHA512cfc935abe44a360518eac0f2038f0036a2b3e08c8fbf77a99a8527bc969f1c77af90b887bbc9e40084dfed7af280deb0a1f073ddf18e604d39845e49ed42b770
-
Filesize
12KB
MD5851cc374a87e0a83956a29c762c008c5
SHA11f1c907e687631c551caaaffb0de28dfcfb03c01
SHA256f05d0dfba14aceb7cb27b49ec8c4f1ce179813e0cf89a32855d7ea2fda91e124
SHA512260c822dbb2fd53cec2ad352e97a42a665fc030de9cf0b223fed3a945822ccbd7e0e12fa0873646aaf38f5f7b93428f29c0bed3709fbaaa83a3dab6dc39a2dc7
-
Filesize
68KB
MD51637086aa0ba4637d2788dc20a0cc67c
SHA14628fe7561526714361764ec637339b21ea88b60
SHA256734c62543768e37c36386b4a07582bb5b322a60d5c997626465725c5b5cef978
SHA51292fb3dd73873ef8a888823f14911f52fe7c11a06bf4172929783a3f3106ea6298d660389cfca902153424b8df64fbe9dc9c5651228d5eb72a650655df21f7cdc
-
Filesize
8KB
MD5ed7304fce3f5e3de28435d3f9e8b4156
SHA145bc86c10386c9368ac482f341999a289dd46897
SHA25664be5edac3eba224120138c6dea3e4a75740e23324fba5a0799499402d96a258
SHA512d7532a12b726869e430745da536b7e1e85ce5871bbf3c3cf5fb4261f5b3d5d4307e6267a8b5f53a6719369e261c66c85c05f3941974594ae4864b16242cae41b
-
Filesize
2KB
MD58ca4504e8e9b66d925107a8f13d9babb
SHA1a1d34e2a6e9ce395da0702a9b1e1ec815dc144f0
SHA256d1b2726787010252e4dec2a1a47fdd42d86b917c9c41f8baab2219de938b90cb
SHA5124c3fe98134c6e7c180829f82374b22ab052e1cadd2d2ff71ff6eefa4e2a7ff21b8bff14ff21677099d2656a0c216c40abb9246860e70be9f254d73d58b624c38
-
Filesize
393B
MD568e1ef21950069826c161f576a498098
SHA18d491c1302ebe0ec80b1c87164ced08ba6c5e474
SHA256ced85fdda9e4c84a453da13948fabb729c4b03093d92a375605306aa63a9deb0
SHA512984368562479104dbb8e176381ce3a5487b3b8c279c0cc5f883d4a3b2d2b7dc2650126fddb9a662cc6bbde4e7d645f6f1a85d6952cb58102f213b01cf93cafec
-
Filesize
1KB
MD571323b267afa1de21fe6943d443a47a3
SHA10586f017a38b1a0e56304af0f93e53a3ea0dfce3
SHA2567b314c86416303dc4fcbbf4f1de8b9dec959e1a5b65e644191b11bc07b39ad3b
SHA5121a73c6f2282889f6293402d01eb69def7a34455bda0ae833cb45e13bf967c5100003f00cdb92810c6c85739a890ec83e2ec51f5eb6384dad680be02ecec428fa
-
Filesize
1KB
MD5af2f9239d5dd601c5c1866c0220c6c1f
SHA17e851e241450f7cbfbc4190c77261e2ab0694042
SHA256c776521a50d3ba3c57baee186c4078d7b1f7ba4e1ec8dedd204f319faf07824f
SHA5126bf26f2f99e7ef4e6341f69665e4f26d586935f32b20544b51e329b9b7609fcb1c3fba8f7c036713b98dbf732e344e9a6e073fe6799c61bd35408c6a138c8708
-
Filesize
1KB
MD55b3cf626d0e038c21557f70dbd0c6476
SHA1c6e83d93aab59a840331639377beb0327b601561
SHA256f4ed23fd5e088e59a3c49e0370d54fff57342920f0311d08f962f955f3951da5
SHA51242cccf0baeafe5e4d5bd166c29f95c25d6ce13fce3f8a6ed8d52d11ded1b22955566c298ebdb7a96bcdc2495828350cfdb914d0da7227a8fb849df7b9b4bd9fe
-
Filesize
2KB
MD54a6d916ff2e9bc23e2304777ce0ac37e
SHA1205499ee63e119b9fdaab5612d72f85ee0be8b4f
SHA2569ba7fb7ccc378eba5500fdd1ec2c919cf7f036653c5a0f2f91ef9bf8877eb9f9
SHA51287cbb94cc70139412d177a885dace7be7ca4bc1e995e392ed93d267a70d2ae41323e6688f7b32bc8e10a8d3f74e3ccd41564fa880ddd4b004746eae1011b376e
-
Filesize
3KB
MD55192677ee2d779818140aee97b3de73f
SHA1955a3184d397186e05a2b81c14feeafdf0214279
SHA256bc14bac8b750653bb8fd1d9c8a0a818575248c35b83d80213da5327ee4343ff8
SHA512ec5886d3ee60c1852485eca6d612091dc2b812ef9c920d4e53f66fe5c33194d5fc292606e7bcca6a59e0ecc3071a85009a2ec8127d7690a10e7824bc0c52f7de
-
Filesize
3KB
MD523f046033b0e9746df3f9e9c383b8e55
SHA1f69ec936ebddceca127c1c0f8220112d6bbef1ea
SHA256ec2d6c29e9e95b77026fb9496ea486700e43e352d9ac04e2802cefcf729a6b3e
SHA5125a74f547400502e5e92f04e0d2fd6209dd12c342370376471bb38cdefa1497ec93bb102e545813b747a741628a5dc7e0c279f9c90b9dad9b9264209e7662497c
-
Filesize
3KB
MD57b5a9c1e9f83a11b9589d2d620282598
SHA1e269e7f2f2452c355437c305749a43754e241cbe
SHA256162fbb537df44d70f2e0cdd8ada0e40ca509da3add4af89fb1023db2a8f6cf63
SHA512bc8632dcf5ab95d6bccad90c8e67feede8e196550bf1b9212756fbce9e5f0395654d8071750999cb1e0afb552b6f20cd84e243b5ffc944c3d7e06659a41f7e5a
-
Filesize
3KB
MD5c39b2053c6074672c24c26db735e70fb
SHA108bfbd45ae863959cc5e59b19b5333caa9783de6
SHA256789f6c3ee09c0b639a8eae0e6058670732afcc642302a24a6c2fc0e3454eccfa
SHA51285d25ba6a99af1d035ab7ab5fd99834928bf65d7edb689de9f94d0a906273a8b523363b8af3db8ab5c44622b87f9d33ec0c88c5b5f6e183e847b10fecb2d12bb
-
Filesize
4KB
MD5e3863f7fc6a04c00c3d34e04f324900b
SHA1ad57c68390e133bbca1cad764f20093d62b241ed
SHA256b57816f94401cae865650c6861b4a552ee1d7a02938e9fb159dd942e01bcfa02
SHA512a0659b8669cb32747ae6a482519f558f0a16d150a88774dd536ecc490c8ec9a53f3d2603c30d5bfdd32d05574a52bc9e59d3ade83ebd89adadf908c5dd38df7d
-
Filesize
1.1MB
MD5a4d7e47df742f62080bf845d606045b4
SHA1723743dc9fa4a190452a7ffc971adfaac91606fa
SHA256a95577ebbc67fc45b319e2ef3a55f4e9b211fe82ed4cb9d8be6b1a9e2425ce53
SHA5128582b51b5fea23de43803fa925d13f1eb6d91b708be133be745d7d6155082cd131c9b62dc6a08b77f419a239efe6eb55a98f02f5783c7cd46e284ec3241fc2ee
-
Filesize
24.3MB
MD5689d09bce45c75db883db7e78b6f4e9b
SHA1ba92a00f0f55dcae85c1bbd098efe606bd080b3c
SHA256814e9da5ec5e5d6a8fa701999d1fc3baddf7f3adc528e202590e9b1cb73e4a11
SHA5124db5078fdd9eb9ce00a1b6195a67c779a1d3c719de0fbd4729adbdac2d8ca442cf4e0a31aa40d213f29617ec073f1a7e42570dcc2f931eb9534c45f1ec6de253
-
Filesize
2KB
MD5d7d9a8cf42183bee617ca839d64b7a95
SHA1e5b64017e435f6b41d922755a737a0ba8e15b017
SHA256061b8c7fac080d3a0c4de98b36aa7412a699faa0f6303fa5b59442ee58816ed0
SHA5126f3620568deacaf7683ed1bf63640966568fabaf5c8d46b3d282e54909a3c88599b3ef69e77ca2da779aa171e11dacd57ec3596d1b1af61ca128bb0c065878bd
-
Filesize
17KB
MD54cb2b521a99b0e026b9d2e69084d3292
SHA1c4c55087d5ab1f01d0295e3f50aa24574a5ef0e1
SHA25650fe4dda75c6d21fa8492e7a346ed964d09883f48a9255e32c4f35d30952ae4d
SHA512cc66aa2ffbbc763ede72bd550a3b6767f88ef049b120b7cba5895626fcd2a77c24e70ce7882ecd8798df4ee7b3f052e1b1a94ae5f6a5d010d62d306c67ed7546
-
Filesize
16KB
MD5e00cb5a8d72128f18b531e9a4a7f91a5
SHA1416ca5c4e6e8aa3492b2b3b0df586f2c614c1612
SHA256b1a67701971aef0226ee07bbd08db30acf0d516c98f316276e180f6907b5ec5f
SHA5123f939bce292717fb53cbd2d12a75dd2d6aed931784c08a40058c4cccc43e6e7eaf7f824165c20b15921ecbabef039a221ce452befc248ee4c43cf638a033ec3f
-
Filesize
17KB
MD59cb61a72c518f7e84d74bad242928fed
SHA10bad0b0ceabc6243792809f6d609c3fcbc9a0ec3
SHA256052cb4eb52e081d27beebd46fd9f06183b9640473fce82b53a59d20815a91fd7
SHA5129d317dab832fd3ae18327823e722462baf3cded6db7aa00aa7f2faba868e83d6e23e57cae552614754784b0159702a9ca089a37c63fd7afd9b3f6c22375abbc9
-
Filesize
18KB
MD50d2c1de60bc8e3e059c1d64fadb87cb3
SHA12b135222c9e3ddf9bf98b0f61a2f6120947aa553
SHA2565a1c1715adefbff6f8521e1745f49041f1ddaad318006bd1581a3459a39a3603
SHA5127e9ab7ab1959c7d259c7fad05e6c6bcf8d383aee47051678c6ed262bc080605a488f28b979b32504f7e3391a0d372d93be69e8a480913cc548232860164f54da
-
Filesize
17KB
MD55389dfafe77500367e7f0905cfb9d63c
SHA17cae40b98251567b451ebca15ff54fe026622b7f
SHA256516910b667fec9a599361558c275776df4ea6259450c16f5236999eed864614e
SHA512c99b40b9962019d95af9369ce2e30bac9a50840054012e21a1d0c7596ed95b5dcddf8a36f316544f53a9e2bacc5128b3c3ba162876de5fb8d95eb508b653841d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5566055e73dc254fcf47403f35fc01a15
SHA1d9bbb98871f386466f055d4f9bfcd189a8b6c5b2
SHA2565023d0407862af0dec814732aa292cf4afe9a039fd1dccf1a1b708ac49df7831
SHA5123fbc361f66669e00aa3a6a8482e9869f6f3dea0d95cc9614e4864e07acb6ebc75098c094c88def03fd56b0d9d8149e56d0398fe0dca27726cef28b442696cc08
-
Filesize
2KB
MD5c86c9f88fd5ebb29ef915f45569861c2
SHA14a14d685ccfcc05e29815ea5d69e7d2f5336e754
SHA25655c263392072101d53ff779a60132208c617f78ba7919455ef5c120de5c31e98
SHA5129c63b3585606fb454d0309b7530c5054ad8ca41d86cc0b9782f06c021e916ea3b923c4767b35e81e2db5c817bb82f8fd585031946f2901b0f0eed9d49c8b5d66
-
Filesize
1KB
MD5de825a838e33ccf3d06b82de337c06d8
SHA168956e777f646361eae3f06ce6899cd48bb9f593
SHA2563b63b09dff7e4c5fe7ccafff74d9f845d1eb04809b0b77a536b2e4aa7dd1097e
SHA512e935ef759abfcafa4d9cf70a1c5508179600fc85d237e53d3e7f2683fa2e14859e5eee167007328995606996a19f4fcc0c1f9a851011a6fa8db6b53c68160a12
-
Filesize
1KB
MD5a52f3195b5585e1d9a9b38fef66a1801
SHA1986a5f05ff51d261fe595f0ab56598658aadc9c9
SHA25640795f603b2eab75fbd886715b0103f2f362494576400ae88925ed1ba7063bdc
SHA512e9eeb34c3667e56c425b91890f463b5d80e4e5e9f485c2bd3ac064e1784ad118c1460af461e5af8acbbb3bc02432e4f914e54e41d2bdaeaa8af528f0e669b64a
-
Filesize
22KB
MD5170c17ac80215d0a377b42557252ae10
SHA14cbab6cc189d02170dd3ba7c25aa492031679411
SHA25661ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d
SHA5120fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f
-
Filesize
300KB
MD5c01beb6c3526554ec9dfad40502317f2
SHA189f468496bd7e6d993a032f918c5baabb21c11be
SHA2565d54a5e7230baf2b80689ee49d263612a6011bc46ec52843e7b4297e9656d32d
SHA512a7fdb3d69cc2b12c9795c8f5e34f64014273e471dc0639ff4693f18e3d5ea758f38f58a5dfc4d1800511ce3e130a7454fd371579e31dbba049770fb74b889339
-
Filesize
19KB
MD5f020a8d9ede1fb2af3651ad6e0ac9cb1
SHA1341f9345d669432b2a51d107cbd101e8b82e37b1
SHA2567efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0
SHA512408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4
-
Filesize
568B
MD5cae757421db8d011e41266bfd9439885
SHA17108a9f0740ee4e3a118f6ac9212e0446f074181
SHA256ff350a68202aadb145f590c8579f9284d2e3c324b0369fde39e5a3a31d7b8204
SHA512785d19c796834065c823a7da99036378bba54b932ea1e47d4ba0c1d123a0a09ec307a3459fb862221de74ce61d9a8d7ec73901c9de007d31e7b39eb7a19b16b5
-
Filesize
14KB
MD5f9e61a25016dcb49867477c1e71a704e
SHA1c01dc1fa7475e4812d158d6c00533410c597b5d9
SHA256274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d
SHA512b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8
-
Filesize
2KB
MD54c03a565eafdd997f6d501d81e3ad3c9
SHA11a8e728e164148dc08c4b24242721e6ecf515812
SHA2560f5a91ef783df6ea57ff35297d7a05f5cc6b38b04ff6f307eabb08be6484b43f
SHA512fd1c34b3f5ffe51fd91ee82ad68b131918724e6b0b4b19947c17ad169bf3cd1bcd37d6fea36afac817929a9f74c13a65b5e1736de83af65dfdcd895f002e229c
-
Filesize
2KB
MD531e2faee80521c6ace0bbd28e083d56f
SHA11318c7c8b7f6c21cfc96f28c3072d20260ab0d22
SHA256bb9855fb96614f0e0103e08b8af7742ca929cc1a217c0234bf66804631267f18
SHA512a632f25998a7cd8f01b9b5bb2a7833f01d2a885608827919c0bedeb953784ff6647bffe54b8961a1a3300d4adea7b4475437a10352d9f042c474ab302f430980
-
Filesize
7KB
MD5dd4bc901ef817319791337fb345932e8
SHA1f8a3454a09d90a09273935020c1418fdb7b7eb7c
SHA2568e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71
SHA5120a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5
-
Filesize
904B
MD5a7503cc175535989650d0749c18c8881
SHA11f4d8aed9a2677e9a2f0467c022fc98b732ce81a
SHA256e0f775ff3740334da3924a6537b87d8fc1211942e42d4565f9edd26cf50e7b3f
SHA5123495eee44dd3756b180e50a6f59e3b5fb41707bd243e9f2631e8f23e8f2cc1f668e449a0f905d8876e997c341adbc234ca4a0b7a6f9857d77ee7fd2f689face5
-
Filesize
15KB
MD5d095b082b7c5ba4665d40d9c5042af6d
SHA12220277304af105ca6c56219f56f04e894b28d27
SHA256b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
SHA51261fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9
-
Filesize
2KB
MD57f8588dc6bd696b36b2bbe0e8cee0156
SHA11000dd884a4cdfc2952e30896bf3871220935ecb
SHA25689b8718f3446aa95be0c968046a61a26f75eaf8cc865452c5e7d27bb6f92a221
SHA512b0106a2c3e87fd9641a719e463cab7558adc6c65f3830ff71b3140c23dd7a93ad1955476fa8c46f057a7e334ad751e0aad9c3255f9e6a7d74f1f2b71b7e65b97
-
Filesize
2KB
MD5511c2c65cf643ca999dee7f827199e94
SHA12c78b15ddbb2372711903e003eb04d12413141c4
SHA2563aec087e19c6c34ace3ad754a58f497d0a54b60894b777c64346bf40f8515c4d
SHA512685941488192eec5c4c1be0d59d1d8cd0cf0430ac8e46ae8a61e9e9d9c2e351386dc97f20f905f59009091c0c90f7e72c9521b31286a065026439bea8580c524
-
Filesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
Filesize
2KB
MD5e99e395d6bfc37663626c4a01c732692
SHA175813eb6682b97de44dafdd6f98afae7e4d3868b
SHA256b4c5e164a7dc968941eab553a3c0f53f3aae8209b8eef74d4be9838b78b51503
SHA512e13cf96693c5d3971fdb5b14ee25e629b7016b045719f59d451789651127323b0a260f6c085f0b746b64d04a06a4d408aafc20eb71635d6064d8584af20973f6
-
Filesize
2KB
MD52c9b26e3cd82c785909565d16930f967
SHA1e84e088f8468aff4092b916f3e05365804e7a71b
SHA25612b7c8407403be28bbe750a7836cbb1311dfce29a60481293a11abd5957f7222
SHA512d916cfb498c8079eb39867717ac34329060b75038eb819750ac7479888bc7f6dc5f1da2478374711970da8eec58779dd1312a6b8c5690d6c4ddd8a0d0d9e227d
-
Filesize
25KB
MD5cbe40fd2b1ec96daedc65da172d90022
SHA1366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA2563ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA51262990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63
-
Filesize
9KB
MD51d8f01a83ddd259bc339902c1d33c8f1
SHA19f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA2564b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA51228bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
215KB
MD5f68f43f809840328f4e993a54b0d5e62
SHA101da48ce6c81df4835b4c2eca7e1d447be893d39
SHA256e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e
SHA512a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1
-
Filesize
5.4MB
MD592f06ebd6d7dd8fc4373a257ba81e19e
SHA1479f3a9fa2d3fed500088812f9201197adf01e17
SHA2568265bab100e281ddd366a9a435aee439bb87a1fe848fbfce0881449c4f08e485
SHA51276eb034b06f05a0dcbe62843d791a28959c9354c5e290b90a4320451ba0d5081432f2f6581fb16aedde1fbdc7a60b85c0d7f13907ab7d5e563c57dd2aa6fb9ea
-
Filesize
967KB
MD53ec3d0ebf9e94535ab326fb3ed1ebefd
SHA15331e4062617df4cfe8dd1fed67a39e1778c3e86
SHA25678cd0d63fb93470f11a300d79c5bafe4554142035126068710d6583fc23d49fa
SHA512c3f4899d2bf3079485c5c47c8a910023b654e0ae4821ced54b995df5626692551e12fecdc65551d56d9a99f8e5dcdb6176011afe97dc45a734c192834ed0485a
-
Filesize
208KB
MD5c41d1aa655205cb772e3aeb0de9c14df
SHA1a3d95bdfa9c9552536adb589f66ccf28dfeabb1c
SHA256a4b5cd38dbac2d9588bb15d6b02b24a05c340c2c0a10d1ac86037e6dd14262c5
SHA512dd5b8f32021bcff98f2a96582d4cfc28571bef870ca3b1d6f7e58d6d4e18f12eb91063f2524094beb699396814109e39f87183e9935742b9579bae75f5f32f52
-
Filesize
208KB
MD5cbb2aeab99bcc3085738c1c41fdf3225
SHA19462fcbb04046d68df7250f5124e79c269f771b2
SHA25659a148da299c73d6bd4ef9a8e99736c3d3eabb3b9f895ad8ab183b657516cc22
SHA512aec8238b7d7a4727b1f3fdcd5d3c6064bf72af6da5d8ef6542fe5fd97b8e24b7d15540426fae029a628d7e160f9fb31fc482edccc416d970f93656ecad0fd5e7
-
Filesize
670KB
MD5261f741c93973d184d4fccf833f0c075
SHA1cb7846fc45cc545b3ac6ab0aa3425461e219b196
SHA2561ec6ded595b12262d8bfcf8436046c9d84febff424924cb839a1946dad76ca4e
SHA51290ca6a11c6bbd5f97d1ed146da5279bf40330bf9020b40eb816ede0d914ed4d769e9c48cb8c839924700dec818d4f818f89e6d6afbc7091e2a2809ebe099da81
