Windows Analysis Report
WinPcap_4_1_3.exe

DLL planting / hijacking vulnerabilities found

Compliance

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	DLL: USP10.dll	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	DLL: SHFOLDER.DLL	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	DLL: RichEd20.DLL	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	DLL: msls31.dll	Jump to behavior

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

EXE: net.exe

Found installer window with terms and condition text

Uses 32bit PE files

Source: WinPcap_4_1_3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Window detected: < &BackI &AgreeCancelNullsoft Install System v2.46 Nullsoft Install System v2.46License AgreementPlease review the license terms before installing WinPcap 4.1.3.Press Page Down to see the rest of the agreement.Copyright (c) 1999 - 2005 NetGroup Politecnico di Torino (Italy).Copyright (c) 2005 - 2010 CACE Technologies Davis (California).Copyright (c) 2010 - 2013 Riverbed Technology San Francisco (California).All rights reserved.Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the Politecnico di Torino CACE Technologies Riverbed Technology nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes software developed by the University of California Lawrence Berkeley Laboratory and its contributors. This product includes software developed by the Kungliga Tekniska Hgskolan and its contributors.This product includes software developed by Yen Yen Lim and North Dakota State University.------------------------------------------Portions Copyright (c) 1990 1991 1992 1993 1994 1995 1996 1997 The Regents of the University of California. All rights reserved.Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes software developed by the Univ

Creates install or setup log file

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File created: C:\Program Files (x86)\WinPcap\install.log

PE / OLE file has a valid certificate

Source: WinPcap_4_1_3.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\install\WinPcap Installer Helper\Release\x86\WinPcapInstall.pdb`3\9 source: WinPcapInstall.dll.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\packetNtx\Dll\Project\Release No NetMon\x64\Packet.pdb source: Packet.dll0.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\packetNtx\Dll\Project\Release No NetMon\x64\Packet.pdb! source: Packet.dll0.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\wpcap\libpcap\rpcapd\Release\x86\rpcapd.pdb0 source: rpcapd.exe.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\install\WinPcap Installer Helper\Release\x86\WinPcapInstall.pdb source: WinPcapInstall.dll.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\packetntx\driver\bin\amd64\npf.pdb source: npf.sys.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\wpcap\libpcap\rpcapd\Release\x86\rpcapd.pdb source: rpcapd.exe.0.dr
Source:	Binary string: e:\PTHREADS\pthreads\pthreadVC.pdb source: pthreadVC.dll.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\wpcap\PRJ\Release\x86\wpcap.pdb source: wpcap.dll0.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\wpcap\PRJ\Release\x64\wpcap.pdb source: wpcap.dll.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\packetNtx\Dll\Project\Release No NetMon\x86\Packet.pdb source: Packet.dll.0.dr

Spreading

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,	0_2_00405D07
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405331
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Networking

Source: WinPcap_4_1_3.exe, Packet.dll.0.dr, WinPcapInstall.dll.0.dr, Packet.dll0.0.dr, wpcap.dll0.0.dr, npf.sys.0.dr, rpcapd.exe.0.dr, wpcap.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: WinPcap_4_1_3.exe, Uninstall.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: WinPcap_4_1_3.exe, Uninstall.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: WinPcap_4_1_3.exe, Packet.dll.0.dr, WinPcapInstall.dll.0.dr, Packet.dll0.0.dr, wpcap.dll0.0.dr, npf.sys.0.dr, rpcapd.exe.0.dr, wpcap.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: WinPcap_4_1_3.exe, Packet.dll.0.dr, WinPcapInstall.dll.0.dr, Packet.dll0.0.dr, wpcap.dll0.0.dr, npf.sys.0.dr, rpcapd.exe.0.dr, wpcap.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: WinPcap_4_1_3.exe, Packet.dll.0.dr, WinPcapInstall.dll.0.dr, Packet.dll0.0.dr, wpcap.dll0.0.dr, npf.sys.0.dr, rpcapd.exe.0.dr, wpcap.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: WinPcap_4_1_3.exe, Packet.dll.0.dr, WinPcapInstall.dll.0.dr, Packet.dll0.0.dr, wpcap.dll0.0.dr, npf.sys.0.dr, rpcapd.exe.0.dr, wpcap.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.riverbed.com/
Source: WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.riverbed.com/URLUpdateInfoVersionMajorVersionMinorDisplayVersion4.1.0.2980DisplayIcon
Source: WinPcap_4_1_3.exe, 00000000.00000002.2214791230.000000000042B000.00000004.00000001.01000000.00000003.sdmp, WinPcap_4_1_3.exe, 00000000.00000003.2125181810.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, WinPcap_4_1_3.exe, 00000000.00000003.2084032445.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, WinPcap_4_1_3.exe, 00000000.00000003.2084083328.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, WinPcap_4_1_3.exe, 00000000.00000002.2214791230.0000000000409000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winpcap.org
Source: WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp, WinPcap Web Site.url.0.dr	String found in binary or memory: http://www.winpcap.org/
Source: WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winpcap.org/archive
Source: WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winpcap.org/install
Source: WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winpcap.org10281256103510391045initDialog
Source: WinPcap_4_1_3.exe, 00000000.00000002.2214791230.0000000000409000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winpcap.orgC:

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Code function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404EE8

E-Banking Fraud

Install WinpCap (used to filter network traffic)

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File created: C:\Windows\SysWOW64\wpcap.dll

Install WinpCap (used to filter network traffic)

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File created: C:\Windows\SysWOW64\wpcap.dll

Contains functionality to shutdown / reboot the system

System Summary

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Code function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030FA

Creates driver files

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File created: C:\Windows\system32\drivers\npf.sys

Creates files inside the driver directory

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File created: C:\Windows\system32\drivers\npf.sys

Creates files inside the system directory

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File created: C:\Windows\SysWOW64\wpcap.dll

Detected potential crypto function

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Code function: 0_2_00406128	0_2_00406128
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Code function: 0_2_004046F9	0_2_004046F9
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Code function: 0_2_004068FF	0_2_004068FF

PE file contains executable resources (Code or Archives)

Source: WinPcap_4_1_3.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Uninstall.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Uses 32bit PE files

Source: WinPcap_4_1_3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Packet.dll0.0.dr	Binary string: HH:mm:ssdddd, MMMM dd, yyyyMM/dd/yyPMAMDecemberNovemberOctoberSeptemberAugustJulyJuneAprilMarchFebruaryJanuaryDecNovOctSepAugJulJunMayAprMarFebJanSaturdayFridayThursdayWednesdayTuesdayMondaySundaySatFriThuWedTueMonSunGetProcessWindowStationGetUserObjectInformationAGetLastActivePopupGetActiveWindowMessageBoxAUSER32.DLLCONOUT$SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecNPF_%SSYSTEM\CurrentControlSet\Services\Tcpip\Parameters\InterfacesSYSTEM\CurrentControlSet\ServicesParametersTcpIpUseZeroBroadcastEnableDHCPDhcpIPAddressDhcpSubnetMaskIPAddressSubnetMask\Device\NPF_1394%s%sSYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}ComponentIdLinkageExportSYSTEM\CurrentControlSet\Services\Tcpip\Linkagebinddrivers\NPF.sysIphlpapiGetAdaptersAddressesairpcap.dllAirpcapGetLastErrorAirpcapGetDeviceListAirpcapFreeDeviceListAirpcapOpenAirpcapCloseAirpcapGetLinkTypeAirpcapSetKernelBufferAirpcapSetFilterAirpcapGetMacAddressAirpcapSetMinToCopyAirpcapGetReadEventAirpcapReadAirpcapGetStatsAirpcapWriteWinPcap Packet Driver (NPF)system32\drivers\NPF.sys\VarFileInfo\Translation\StringFileInfo\%04x%04x\FileVersionSYSTEM\CurrentControlSet\Services\%s\\.\%s\\.\Global\%s%wsRSDS=
Source: Packet.dll0.0.dr	Binary string: \Device\NPF_
Source: npf.sys.0.dr	Binary string: UBind\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Linkage\DosDevices\\Device\RSDSP#E~
Source: Packet.dll.0.dr	Binary string: HH:mm:ssdddd, MMMM dd, yyyyMM/dd/yyPMAMDecemberNovemberOctoberSeptemberAugustJulyJuneAprilMarchFebruaryJanuaryDecNovOctSepAugJulJunMayAprMarFebJanSaturdayFridayThursdayWednesdayTuesdayMondaySundaySatFriThuWedTueMonSunGetProcessWindowStationGetUserObjectInformationAGetLastActivePopupGetActiveWindowMessageBoxAUSER32.DLLCONOUT$SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecNPF_%SSYSTEM\CurrentControlSet\Services\Tcpip\Parameters\InterfacesSYSTEM\CurrentControlSet\ServicesParametersTcpIpUseZeroBroadcastEnableDHCPDhcpIPAddressDhcpSubnetMaskIPAddressSubnetMask\Device\NPF_1394%s%sSYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}ComponentIdLinkageExportSYSTEM\CurrentControlSet\Services\Tcpip\Linkagebinddrivers\NPF.sysIphlpapiGetAdaptersAddressesairpcap.dllAirpcapGetLastErrorAirpcapGetDeviceListAirpcapFreeDeviceListAirpcapOpenAirpcapCloseAirpcapGetLinkTypeAirpcapSetKernelBufferAirpcapSetFilterAirpcapGetMacAddressAirpcapSetMinToCopyAirpcapGetReadEventAirpcapReadAirpcapGetStatsAirpcapWriteWinPcap Packet Driver (NPF)system32\drivers\NPF.sys\VarFileInfo\Translation\StringFileInfo\%04x%04x\FileVersionSYSTEM\CurrentControlSet\Services\%s\\.\%s\\.\Global\%s%wsHx!

Source: classification engine

Classification label: clean14.bank.adwa.winEXE@6/20@0/0

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Code function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041FC

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File created: C:\Program Files (x86)\WinPcap

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File created: C:\Users\user\AppData\Local\Temp\nsn2257.tmp

Source: WinPcap_4_1_3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File read: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Source: unknown	Process created: C:\Users\user\Desktop\WinPcap_4_1_3.exe C:\Users\user\Desktop\WinPcap_4_1_3.exe
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process created: C:\Windows\SysWOW64\net.exe net start npf
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start npf
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process created: C:\Windows\SysWOW64\net.exe net start npf	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start npf	Jump to behavior

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: Uninstall WinPcap 4.1.3.lnk.0.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\WinPcap\uninstall.exe

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File written: C:\Users\user\AppData\Local\Temp\nsn2258.tmp\ioSpecial.ini

Found GUI installer (many successful clicks)

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Automated click: Next >
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Automated click: I Agree
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Automated click: Install

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found installer window with terms and condition text

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

PE / OLE file has a valid certificate

Source: WinPcap_4_1_3.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\install\WinPcap Installer Helper\Release\x86\WinPcapInstall.pdb`3\9 source: WinPcapInstall.dll.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\packetNtx\Dll\Project\Release No NetMon\x64\Packet.pdb source: Packet.dll0.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\packetNtx\Dll\Project\Release No NetMon\x64\Packet.pdb! source: Packet.dll0.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\wpcap\libpcap\rpcapd\Release\x86\rpcapd.pdb0 source: rpcapd.exe.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\install\WinPcap Installer Helper\Release\x86\WinPcapInstall.pdb source: WinPcapInstall.dll.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\packetntx\driver\bin\amd64\npf.pdb source: npf.sys.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\wpcap\libpcap\rpcapd\Release\x86\rpcapd.pdb source: rpcapd.exe.0.dr
Source:	Binary string: e:\PTHREADS\pthreads\pthreadVC.pdb source: pthreadVC.dll.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\wpcap\PRJ\Release\x86\wpcap.pdb source: wpcap.dll0.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\wpcap\PRJ\Release\x64\wpcap.pdb source: wpcap.dll.0.dr
Source:	Binary string: c:\releases\winpcap_4_1_3\winpcap\packetNtx\Dll\Project\Release No NetMon\x86\Packet.pdb source: Packet.dll.0.dr

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D2E

PE file contains an invalid checksum

Source: Uninstall.exe.0.dr	Static PE information: real checksum: 0xedce7 should be: 0x21e7b
Source: System.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa27d
Source: ExecDos.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x5778
Source: pthreadVC.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1a30d
Source: UserInfo.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xb9d1
Source: InstallOptions.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xdd4b

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Program Files (x86)\WinPcap\WinPcapInstall.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Program Files (x86)\WinPcap\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Program Files (x86)\WinPcap\rpcapd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Users\user\AppData\Local\Temp\nsn2258.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Users\user\AppData\Local\Temp\nsn2258.tmp\ExecDos.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\System32\wpcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Users\user\AppData\Local\Temp\nsn2258.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\System32\Packet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\SysWOW64\Packet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Users\user\AppData\Local\Temp\nsn2258.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\SysWOW64\pthreadVC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\SysWOW64\wpcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\System32\drivers\npf.sys	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\System32\wpcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\System32\Packet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\SysWOW64\Packet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\SysWOW64\pthreadVC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\SysWOW64\wpcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\Windows\System32\drivers\npf.sys	Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

File created: C:\Program Files (x86)\WinPcap\install.log

Modifies existing windows services

Boot Survival

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NPF

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap\WinPcap Web Site.url	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.1.3.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinPcap\WinPcapInstall.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinPcap\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinPcap\rpcapd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Dropped PE file which has not been started: C:\Windows\System32\wpcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Dropped PE file which has not been started: C:\Windows\System32\Packet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Packet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\pthreadVC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\wpcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\npf.sys	Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,	0_2_00405D07
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405331
Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

API call chain: ExitProcess graph end node

graph_0-3316

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D2E

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe	Process created: C:\Windows\SysWOW64\net.exe net start npf			Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start npf			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\WinPcap_4_1_3.exe

Code function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405A2E

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Native API	2 Windows Service	2 Windows Service	31 Masquerading	1 Network Sniffing	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 System Shutdown/Reboot	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	2 DLL Search Order Hijacking	11 Process Injection	11 Process Injection	LSASS Memory	1 Network Sniffing	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 DLL Search Order Hijacking	2 DLL Search Order Hijacking	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WinPcap_4_1_3.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\WinPcap\Uninstall.exe	0%	ReversingLabs
C:\Program Files (x86)\WinPcap\WinPcapInstall.dll	0%	ReversingLabs
C:\Program Files (x86)\WinPcap\rpcapd.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsn2258.tmp\ExecDos.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsn2258.tmp\InstallOptions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsn2258.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsn2258.tmp\UserInfo.dll	0%	ReversingLabs
C:\Windows\SysWOW64\Packet.dll	0%	ReversingLabs
C:\Windows\SysWOW64\pthreadVC.dll	0%	ReversingLabs
C:\Windows\SysWOW64\wpcap.dll	0%	ReversingLabs
C:\Windows\System32\Packet.dll	0%	ReversingLabs
C:\Windows\System32\drivers\npf.sys	0%	ReversingLabs
C:\Windows\System32\wpcap.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.winpcap.org10281256103510391045initDialog	0%	Avira URL Cloud	safe
http://www.winpcap.orgC:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.riverbed.com/	WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	WinPcap_4_1_3.exe, Uninstall.exe.0.dr	false		high
http://www.winpcap.org10281256103510391045initDialog	WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	WinPcap_4_1_3.exe, Uninstall.exe.0.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	WinPcap_4_1_3.exe, Packet.dll.0.dr, WinPcapInstall.dll.0.dr, Packet.dll0.0.dr, wpcap.dll0.0.dr, npf.sys.0.dr, rpcapd.exe.0.dr, wpcap.dll.0.dr	false		high
http://www.winpcap.org	WinPcap_4_1_3.exe, 00000000.00000002.2214791230.000000000042B000.00000004.00000001.01000000.00000003.sdmp, WinPcap_4_1_3.exe, 00000000.00000003.2125181810.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, WinPcap_4_1_3.exe, 00000000.00000003.2084032445.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, WinPcap_4_1_3.exe, 00000000.00000003.2084083328.00000000041F0000.00000004.00000800.00020000.00000000.sdmp, WinPcap_4_1_3.exe, 00000000.00000002.2214791230.0000000000409000.00000004.00000001.01000000.00000003.sdmp	false		high
http://www.winpcap.orgC:	WinPcap_4_1_3.exe, 00000000.00000002.2214791230.0000000000409000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	WinPcap_4_1_3.exe, Packet.dll.0.dr, WinPcapInstall.dll.0.dr, Packet.dll0.0.dr, wpcap.dll0.0.dr, npf.sys.0.dr, rpcapd.exe.0.dr, wpcap.dll.0.dr	false	URL Reputation: safe	unknown
http://www.winpcap.org/archive	WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.riverbed.com/URLUpdateInfoVersionMajorVersionMinorDisplayVersion4.1.0.2980DisplayIcon	WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.winpcap.org/	WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp, WinPcap Web Site.url.0.dr	false		high
http://www.winpcap.org/install	WinPcap_4_1_3.exe, 00000000.00000002.2215020551.0000000000577000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1355806
Start date and time:	2023-12-07 22:02:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WinPcap_4_1_3.exe
Detection:	CLEAN
Classification:	clean14.bank.adwa.winEXE@6/20@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 49 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 72.21.81.240
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, wu.ec.azureedge.net, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: WinPcap_4_1_3.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	0996766724211.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.229.211.108
	AN#U00c1LISIS_DEL_CONTRATO-pdf.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.229.211.108
	fordanskningernes_hildebrand.exe	Get hash	malicious	AgentTesla	Browse	192.229.211.108
	91am3NlDis.exe	Get hash	malicious	Snake Keylogger	Browse	192.229.211.108
	Debt-Payment_paper.js	Get hash	malicious	Unknown	Browse	192.229.211.108
	CONTRACT_PREVIEW-pdf.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.229.211.108
	PO_66860012.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.229.211.108
	Zam#U00f3wienie.ZD33166.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.229.211.108
	S#U00d6ZLE#U015eME-pdf.exe	Get hash	malicious	AgentTesla	Browse	192.229.211.108
	REVIZUIREA_CONTRACTULUI-pdf.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.229.211.108
	mE361bPBAD.exe	Get hash	malicious	XWorm	Browse	192.229.211.108
	Purchase_Order_#PO30086.exe	Get hash	malicious	Snake Keylogger	Browse	192.229.211.108
	https://lovegemini.co.uk/fc.PDF	Get hash	malicious	Unknown	Browse	192.229.211.108
	DqltlPJzVT.exe	Get hash	malicious	GuLoader	Browse	192.229.211.108
	8q1e8AqlDS.exe	Get hash	malicious	Xmrig, zgRAT	Browse	192.229.211.108
	Setup.exe	Get hash	malicious	RedLine	Browse	192.229.211.108
	0R5nIBeVmh.exe	Get hash	malicious	Pony	Browse	192.229.211.108
	8CF53B54DD1B8FB40221ABE6AA967592BAD78BE7F39EE.exe	Get hash	malicious	zgRAT	Browse	192.229.211.108
	GST_INVOICE.exe	Get hash	malicious	ViottoKeylogger	Browse	192.229.211.108
	SWIFT_COPY.exe	Get hash	malicious	AgentTesla	Browse	192.229.211.108

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\WinPcap\WinPcapInstall.dll	ywvz5i8kT9.exe	Get hash	malicious	Unknown	Browse
	vcredist_2010.exe	Get hash	malicious	Unknown	Browse
	vcredist_2010(1).exe	Get hash	malicious	Unknown	Browse
	v.exe	Get hash	malicious	Unknown	Browse
	okIQd4f03Z.exe	Get hash	malicious	Unknown	Browse
	https://www.arcai.com/download/netcut.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\WinPcap\Uninstall.exe	ywvz5i8kT9.exe	Get hash	malicious	Unknown	Browse
	vcredist_2010.exe	Get hash	malicious	Unknown	Browse
	vcredist_2010(1).exe	Get hash	malicious	Unknown	Browse
	v.exe	Get hash	malicious	Unknown	Browse
	okIQd4f03Z.exe	Get hash	malicious	Unknown	Browse
	https://www.arcai.com/download/netcut.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\WinPcap\Uninstall.exe

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	121106
Entropy (8bit):	7.561672524856586
Encrypted:	false
SSDEEP:	3072:NgXdZt9P6D3XJ6ceA6V/EsqmU95VZNFe3J5eA+OC:Ne34wmWemUldiYn3
MD5:	C0F94449E113FA3F7EB420C64108B58B
SHA1:	2FC0779B5C0D560B4A085E452898B64775C9C3A6
SHA-256:	348E87F7ECDB9E2D600370029A95A31DD3172D29454FCD4AFAEE8199285B0EDE
SHA-512:	A5D315DE21CA4EAC6C9599530C705A15ED4FCCE2FBD0594AC493ED64E5DBB1215412C8B88898AB36E2574A45BD0335151F503632937640C6B7218DDFFA29A72C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ywvz5i8kT9.exe, Detection: malicious, Browse Filename: vcredist_2010.exe, Detection: malicious, Browse Filename: vcredist_2010(1).exe, Detection: malicious, Browse Filename: v.exe, Detection: malicious, Browse Filename: okIQd4f03Z.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................@...............................................t...........C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C.......D...z..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinPcap\WinPcapInstall.dll

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	93944
Entropy (8bit):	5.944064737500921
Encrypted:	false
SSDEEP:	1536:s7xjrG5m+619YG7L2xo8JfmL4iMtgLZtAeYjFH:s7s27yaL4kVtAeE9
MD5:	E78291558CB803DFD091AD8FB56FEECC
SHA1:	4BDE2F87E903FE8D3BD80179C5584CEC7A8CBDC4
SHA-256:	D9F4CD9F0E1BC9A138FB4DA6F83C92C3E86EB3DE4F988D5943D75C9B1DC6BB9D
SHA-512:	042B96BC2C0E6D8B6E2730426938EB7400FD833BE8A108A4942F559FEDEFABC35FD5DCB7EA1898D377B4382C0A9AF8EEEEBD663A4C852C706E3BD168C1F1F62F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ywvz5i8kT9.exe, Detection: malicious, Browse Filename: vcredist_2010.exe, Detection: malicious, Browse Filename: vcredist_2010(1).exe, Detection: malicious, Browse Filename: v.exe, Detection: malicious, Browse Filename: okIQd4f03Z.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;6...W...W...W..X...oW..X..._W..X....W...X..\|W...X..xW...W...W..X...\|W..X...~W..X...~W..X...~W..Rich.W..........PE..L.....0Q...........!.................*.......................................`.......r..........................................P....0...............P.......@..T.......................................@...............h............................text...4........................... ..`.rdata../'.......0..................@..@.data...H,....... ..................@....rsrc........0....... ..............@..@.reloc.......@... ...0..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinPcap\install.log

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	422
Entropy (8bit):	4.236551634935044
Encrypted:	false
SSDEEP:	12:j1Ib0V1j3WKcjHgVXnFMqSv9ZEjhZJd5hr1C:jyb0VhaA9FMPv9ZEjhXNc
MD5:	D3A2BC3BA963A1C99679AADFE8BD4519
SHA1:	51D69987D2AEA4510E3C1484FE1B6168B393A8B6
SHA-256:	2F8CB362E387E17AFCD55D982DB30F2BD5DB0AA8242C89BC35EF3EEA32AE4E08
SHA-512:	1587C2DFF4231AD25F09EB0CFD49C282DCDA95F8B785C6E0227740F9469B139A9A2F582DBEA73A322F984C52FAE8AD63678D47B2D34B156674F2E3FFB34DF6B2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	WinPcap 4.1.0.2980 Installation LOG..-----------------------------------------------------..Debug Information......Operating system detected on registry: 8 - AMD64..True operating system (kernel.dll): 8 - AMD64..npptools.dll present on the system: false..netnm.inf present on the system: false..nmnt.sys present on the system: false....End of log..-----------------------------------------------------..

C:\Program Files (x86)\WinPcap\rpcapd.exe

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	118520
Entropy (8bit):	6.264101912948104
Encrypted:	false
SSDEEP:	3072:mL7m5RTfrUna0m2BeIIgJ3155FulLfbt/6:C7m5RTEaseIH515qfA
MD5:	83A6C2CAFE236652D1559640594A0EA8
SHA1:	C99AA678F387C00C4470FA3CD7B037D26720960D
SHA-256:	52360F17C9C70C9CEA3316560B40C4D89FD705ED7E6B6088C99FC54D4CC35EB5
SHA-512:	4F6981C4E8D64311087795E9639516409BF80EBCA5C7F25AF1FB436AACCF90F24617ECD3F95B63558981B12BC0E5EEACF120FEA7BE5E5FA05ECF3AFA4F9F799B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........z...)...)...).w.)...).w.)...).w.)..)V..)...)}..)...).w.)...)...))..).w.)...).w.)...).w.)...)Rich...)................PE..L...9.0Q.................0...p......%........@....@..................................(.......................................k.......p..8...........................pB...............................f..@............@..,............................text...X-.......0.................. ..`.rdata..v6...@...@...@..............@..@.data............ ..................@....rsrc...8....p......................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.1.3.lnk

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	798
Entropy (8bit):	3.4113726204054617
Encrypted:	false
SSDEEP:	12:8wl0+0a/ledp8A/a/GcybdpYyhGZ9+r4Q/CNUvH4t2YZ/elFlSJm:85dOAC/SdBhs+DOUFqy
MD5:	C565D4B80CE5D1FF9ACF4357DFBFC7CF
SHA1:	D82B7E823FED8F5B8507015F64E2D8BE82968F04
SHA-256:	4EACC11C8D44203F4A48985B4BA45878082A314D393F9AF025F5F968D8C3C825
SHA-512:	0C84749DC6DB5B3A2CC2D3B658CFFB11840CF64D244CA92911681C58C281D3C080057759F06F40BFA21CADF927798A3A1A701CD08592659DDA0A3A7C6C32336C
Malicious:	false
Preview:	L..................F........................................................g....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".V.1...........WinPcap.@............................................W.i.n.P.c.a.p.....h.2...........uninstall.exe.L............................................u.n.i.n.s.t.a.l.l...e.x.e.......;.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.W.i.n.P.c.a.p.\.u.n.i.n.s.t.a.l.l...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap\WinPcap Web Site.url

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<http://www.winpcap.org/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.461050149972742
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/0S4/Wov:HRYFVm/r4/Wy
MD5:	4045C586E0A52F8D15E34642A688FA3B
SHA1:	B5D50D25D5802B59C6DE5499E251913DFFAB58FE
SHA-256:	66DB8411780D0E4B9C09475241E1A8578A3A26A438A0E016722DB5D174055F43
SHA-512:	E5581162D69D4EC997DDF1342CC6A0532CEDFCB81F5E257EA0231AC68B43A52D7BBE7C8C20F1943F5C83C815BE9A5F47F2FECCEEC1BB8B8C5DE48C41144C8437
Malicious:	false
Preview:	[InternetShortcut]..URL=http://www.winpcap.org/..

C:\Users\user\AppData\Local\Temp\nsn2258.tmp\ExecDos.dll

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.881160720969831
Encrypted:	false
SSDEEP:	48:6jOBtU/BXN8kUByyy/Aklkcrkyg7Vg5RibGoTCTo0gqVeeaeQqzM5rv774YRljmB:y/DMy4ncrkyg7tbpQFLUEYRxe
MD5:	A7CD6206240484C8436C66AFB12BDFBF
SHA1:	0BB3E24A7EB0A9E5A8EAE06B1C6E7551A7EC9919
SHA-256:	69AC56D2FDF3C71B766D3CC49B33B36F1287CC2503310811017467DFCB455926
SHA-512:	B9EE7803301E50A8EC20AB3F87EB9E509EA24D11A69E90005F30C1666ACC4ED0A208BD56E372E2E5C6A6D901D45F04A12427303D74761983593D10B344C79904
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.......................B..........Rich...........PE..L.....F...........!................F........ ...............................P.......................................#..c...x ..<............................@....................................................... ..x............................text...L........................... ..`.rdata..c.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn2258.tmp\InstallOptions.dll

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.550299117674118
Encrypted:	false
SSDEEP:	192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo
MD5:	325B008AEC81E5AAA57096F05D4212B5
SHA1:	27A2D89747A20305B6518438EFF5B9F57F7DF5C3
SHA-256:	C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B
SHA-512:	18362B3AEE529A27E85CC087627ECF6E2D21196D725F499C4A185CB3A380999F43FF1833A8EBEC3F5BA1D3A113EF83185770E663854121F2D8B885790115AFDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p..q.,.q.,.q.,.q.,@q.,.~C,.q.,\R.,.q.,\R/,.q.,.w.,.q.,.Q.,.q.,Rich.q.,........................PE..L......K...........!.........<.......).......0.......................................................................8..p...81.......p..........................@....................................................0..8............................text...@........................... ..`.rdata.......0....... ..............@..@.data... (...@.......*..............@....rsrc........p.......2..............@..@.reloc...............4..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn2258.tmp\System.dll

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.568877095847681
Encrypted:	false
SSDEEP:	192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
MD5:	C17103AE9072A06DA581DEC998343FC1
SHA1:	B72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
SHA-256:	DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
SHA-512:	D32A71AAEF18E993F28096D536E41C4D016850721B31171513CE28BBD805A54FD290B7C3E9D935F72E676A1ACFB4F0DCC89D95040A0DD29F2B6975855C18986F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L......K...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn2258.tmp\UserInfo.dll

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.331979080664426
Encrypted:	false
SSDEEP:	48:iViF7LLM4wXqQH1wRrOpArXMVyjlZSXRN:ky7EcQHu4tVy4R
MD5:	7579ADE7AE1747A31960A228CE02E666
SHA1:	8EC8571A296737E819DCF86353A43FCF8EC63351
SHA-256:	564C80DEC62D76C53497C40094DB360FF8A36E0DC1BDA8383D0F9583138997F5
SHA-512:	A88BC56E938374C333B0E33CB72951635B5D5A98B9CB2D6785073CBCAD23BF4C0F9F69D3B7E87B46C76EB03CED9BB786844CE87656A9E3DF4CA24ACF43D7A05B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................4..............Rich..................PE..L......K...........!......................... ...............................P...................................... "......L ..<............................@..d.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...X....0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn2258.tmp\bootOptions.ini

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	Generic INItialization configuration [Field 1]
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.315051894879581
Encrypted:	false
SSDEEP:	6:aY+ZPr3QMtNuJO4q2k3KfuRoeRm8FXpzXbRAFFIgnfvu75HBkyYm1KKoa4M:ZYrltNukF2kafF8zmFigfvuNHEYKKoG
MD5:	605F189293ADEDA4633D0EC4AE944E42
SHA1:	12D400189CEEDC3CF18A28201565A7BC969407DB
SHA-256:	3C58147DFC168A2F7FED5E80118DDC166E45C3798305BC28B52F6B4334E17F1D
SHA-512:	D1AB35A72BD119376E3379D6041E91C94ECC00BAA5E22F69A635623A1787CE021F912269E372ACB2E151B5F757966406E88883E74FFE1DD86C3DCB2BB56904D6
Malicious:	false
Preview:	; Ini file generated by the HM NIS Edit IO designer...[Settings]..NumFields=1..RTL=0..State=0....[Field 1]..Type=Checkbox..Text=Automatically start the WinPcap driver at boot time..Left=8..Right=198..Top=36..Bottom=46..State=1....;[Field 2]..;Type=Text..;Flags=NOTABSTOP\|MULTILINE\|READONLY..;State=Text\r\nPirla..;Left=8..;Right=279..;Top=70..;Bottom=136....HWND=197624..

C:\Users\user\AppData\Local\Temp\nsn2258.tmp\ioSpecial.ini

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	Generic INItialization configuration [Field 1]
Category:	dropped
Size (bytes):	557
Entropy (8bit):	5.366711398993734
Encrypted:	false
SSDEEP:	12:lOuf9VTsAgQRvAVaa7hO4gNhBYyafB4gND2IrEjl8s3NHy:1TdRvAVaahO1RYB1ZlrEj1ty
MD5:	2401F9421C7124F695A0B2904FFFDFD6
SHA1:	3CBCB5EA241AB00998370A478E2645493DD2CD0D
SHA-256:	FAD1A1CBC5ED891E75B59535FC8920E875BA298C260577CDE0243BF68533AB54
SHA-512:	7217DBA08E458B6BD6DE56147D7C39EAD10C882ADB96F115EA73804EB1D7A904ADB051D361ED0B1D64AE6C6E65C5F417BFF554A369EBF9DAEB20C2949A6971EA
Malicious:	false
Preview:	[Settings]..Rect=1044..NumFields=3..RTL=0..NextButtonText=&Finish..CancelEnabled=..State=0..[Field 1]..Type=bitmap..Left=0..Right=109..Top=0..Bottom=193..Flags=RESIZETOFIT..Text=C:\Users\user\AppData\Local\Temp\nsn2258.tmp\modern-wizard.bmp..HWND=132094..[Field 2]..Type=label..Left=120..Right=315..Top=10..Text=Completing the WinPcap 4.1.3 Setup Wizard..Bottom=38..HWND=66560..[Field 3]..Type=label..Left=120..Right=315..Top=45..Bottom=185..Text=WinPcap 4.1.3 has been installed on your computer.\r\n\r\nClick Finish to close this wizard...HWND=66562..

C:\Users\user\AppData\Local\Temp\nsn2258.tmp\modern-header.bmp

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PC bitmap, Windows 3.x format, 175 x 58 x 24, image size 30624, resolution 2834 x 2834 px/m, cbSize 30678, bits offset 54
Category:	dropped
Size (bytes):	30678
Entropy (8bit):	4.017046289283279
Encrypted:	false
SSDEEP:	192:UdCd/28k2hZrlQ+jP3/PGs/ZkTnSQpuWE:UD8jLlQ+jP3///ZUSJ5
MD5:	D8F59A707B2A5000C7903595EDDC3D48
SHA1:	E86239FE1DC3CFDBEC6006817160EB5F1FC92BCA
SHA-256:	C0E284FDE834FE8A6F90504DBA7ABFF25B1E7DD4611483341203FD3EFC5DE8A6
SHA-512:	91E28A685733620832D3851D7F3EEE36495F2728610BD6C66F305CDDA039F75AB8499D0E51E64AFA018C221A728889503DB2FC7C84CF9599A61B68951686B048
Malicious:	false
Preview:	BM.w......6...(.......:............w....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn2258.tmp\modern-wizard.bmp

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
Category:	dropped
Size (bytes):	26494
Entropy (8bit):	1.9568109962493656
Encrypted:	false
SSDEEP:	24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
MD5:	CBE40FD2B1EC96DAEDC65DA172D90022
SHA1:	366C216220AA4329DFF6C485FD0E9B0F4F0A7944
SHA-256:	3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
SHA-512:	62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
Malicious:	false
Preview:	BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

C:\Windows\SysWOW64\Packet.dll

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98040
Entropy (8bit):	6.127745728436191
Encrypted:	false
SSDEEP:	1536:zg6Z54QkC2wpk2c+ZCDHKklh74RTfIEtaYQ0:M6Z54ARcIxk4LIEtaYj
MD5:	86316BE34481C1ED5B792169312673FD
SHA1:	6CCDE3A8C76879E49B34E4ABB3B8DFAF7A9D77B5
SHA-256:	49656C178B17198470AD6906E9EE0865F16F01C1DBBF11C613B55A07246A7918
SHA-512:	3A6E77C39942B89F3F149E9527AB8A9EB39F55AC18A9DB3A3922DFB294BEB0760D10CA12BE0E3A3854FF7DABBE2DF18C52E3696874623A2A9C5DC74B29A860BC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........H...H...H...oe.Z...oe.j...oe.+......C...H...2...oe..L...oe..I...oe.I...oe..I...RichH...........PE..L...<.0Q...........!.........p......`Q..........................................................................................x....P..T............`.......`..d...................................X...@............................................text...:........................... ..`.rdata...+.......0..................@..@.data....,... ....... ..............@....rsrc...T....P.......0..............@..@.reloc..d....`... ...@..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\pthreadVC.dll

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53299
Entropy (8bit):	3.9943496203596918
Encrypted:	false
SSDEEP:	384:hSvfC8Vv0Vy7ojuq7GQcdWTc4zU+GFronD/yD5rBEe0kiH32Jp9AhOW:wt+TGQcdWYdMG59EeJiH3YzW
MD5:	F04A90F917BA10AE2DCBE859870F4DEA
SHA1:	6668EBE373CE58C33017697C477557653427E626
SHA-256:	99C61ABF41C3AEC38CAB3ED6270ADBCA9A247BBF5F9AA9D29ECB0659A5527F48
SHA-512:	AEC29301B9CE311B27F1590B0E0C4121ACDC183A30B570E087D77B7035684F02A6DFBDEE950C37F3023B32E2EA5A075A5FBE6D18A2804DA9490D4959733BB516
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......EGi..&...&...&..c9...&...&..7&...9...&...9...&..Rich.&..........................PE..L.....g?...........!.....p...P.......d..............................................................................0...^.......P...............................T...................................................................................text...3f.......p.................. ..`.rdata........... ..................@..@.data...............................@....idata..4...........................@....reloc..J...........................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\wpcap.dll

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	282360
Entropy (8bit):	6.604477037348888
Encrypted:	false
SSDEEP:	6144:E4yIm5rC9WNWwKcNBSCiLvK8+jKgZBwIbg2:jyIm59WwpqCuEKIwv2
MD5:	4633B298D57014627831CCAC89A2C50B
SHA1:	E5F449766722C5C25FA02B065D22A854B6A32A5B
SHA-256:	B967E4DCE952F9232592E4C1753516081438702A53424005642700522055DBC9
SHA-512:	29590FA5F72E6A36F2B72FC2A2CCA35EE41554E13C9995198E740608975621142395D4B2E057DB4314EDF95520FD32AAE8DB066444D8D8DB0FD06C391111C6D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%I+&a(Eua(Eua(Eu..;uc(EuF.8uv(EuF.+uC(EuF.(u.(EuF.>uc(Eua(Du.(Eu.'.ud(EuF.4ut(EuF.?u`(EuF.9u`(EuF.=u`(EuRicha(Eu........................PE..L.....0Q...........!................z...............................................8_.............................. ...........P....................0..........8&..p...................................@...............,............................text....z.......................... ..`.rdata..=7.......@..................@..@.data...!........ ..................@....rsrc...............................@..@.reloc..p........0..................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\System32\Packet.dll

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	107768
Entropy (8bit):	6.207807273671645
Encrypted:	false
SSDEEP:	3072:xpMSqNrAF/ln2800b4U7kByZo6Fsl1LOb:xpMSq0/AN0EG4yZ/
MD5:	899A5BF1669610CDB78D322AC8D9358B
SHA1:	80A2E420B99FFE294A523C6C6D87ED09DFC8D82B
SHA-256:	AB3CCE674F5216895FD26A073771F82B05D4C8B214A89F0F288A59774A06B14B
SHA-512:	41F2459793AC04E433D8471780E770417AFAC499DC3C5413877D4A4499656C9669C069D24E638D0AAF43AF178A763ACB656FFD34D710EB5E3C94682DB1559056
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................5.......5.......5.....n..............5.......5.......5.......5......Rich....................PE..d.....0Q.........." .........t...... l..............................................r................................................\.......P..x.......T.......\....................$............................................... ...............................text...>........................... ..`.rdata...@... ...B..................@..@.data...(7...p.......T..............@....pdata..\............j..............@..@.rsrc...T............\|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Windows\System32\drivers\npf.sys

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36600
Entropy (8bit):	6.293365115285525
Encrypted:	false
SSDEEP:	768:VVRRdUlDRJuOfUhk8ZX2ZeRY4soGLeTZ8wwfKRw:VVRsZREOfUhNK96TZ8wwi6
MD5:	DE7FCC77F4A503AF4CA6A47D49B3713D
SHA1:	8206E2D8374F5E7BF626E47D56D2431EDC939652
SHA-256:	4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6
SHA-512:	FDACE7EE2593FFE5724DB32F4BE62BB13AA1EC89E1E01C713D8C1E9891A5A0975D127450024C3388A987A35E546568ECDBCC60C185DC8F8B08CCEF67A084B20D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}i.}i.}i.}h..}i...}i...}i...}i...}i...}i...}i.Rich.}i.................PE..d.....0Q.........."......V..........................................................9q......................................................d...P....................p...............a...............................................`...............................text....M.......N.................. ..h.rdata.......`.......R..............@..H.data...4....p.......X..............@....pdata...............^..............@..HINIT.................`.............. ....rsrc................h..............@..B.reloc..<............n..............@..B........................................................................................................................................................................................................................................

C:\Windows\System32\wpcap.dll

Process:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	370424
Entropy (8bit):	6.481542014421452
Encrypted:	false
SSDEEP:	6144:pH+VjFreKE0V/NGvaX86tWBXZkbTe/CtjgZBwIV8g/wNmJ4eXk:pH+VBeT0V/NBX8k2YTe/QIwIs8k
MD5:	A672F1CF00FA5AC3F4F59577F77D8C86
SHA1:	B68E64401D91C75CAFA810086A35CD0838C61A4B
SHA-256:	35AAB6CAAAF1720A4D888AE0DE9E2A8E19604F3EA0E4DD882C3EEAE4F39AF117
SHA-512:	A566E7571437BE765279C915DD6E13F72203EFF0DC3838A154FC137ED828E05644D650FD8432D1FB4C1E1D84EE00EF9BDE90225C68C3CA8A5DA349065E7EBFD6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5...[...[...[.e.%...[...&...[...5...[...6..[... ...[...Z.d.[.U ...[...*...[...!...[...'...[...#...[.Rich..[.........................PE..d.....0Q.........." ................p........................................P......................................................P4.......'..P....0...........'...........@..X.......................................................X............................text............................... ..`.rdata..mm.......n..................@..@.data........@...&...,..............@....pdata...'.......(...R..............@..@.rsrc........0.......z..............@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.980473659413747
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WinPcap_4_1_3.exe
File size:	915'128 bytes
MD5:	a11a2f0cfe6d0b4c50945989db6360cd
SHA1:	e2516fcd1573e70334c8f50bee5241cdfdf48a00
SHA256:	fc4623b113a1f603c0d9ad5f83130bd6de1c62b973be9892305132389c8588de
SHA512:	2652d84eb91ca7957b4fb3ff77313e5dae978960492669242df4f246296f1bedaa48c0d33ffb286b2859a1b86ef5460060b551edca597b4ec60ee08676877c70
SSDEEP:	24576:UBOldyR6ORWsaM2QROxa6jsqUENfJjNK/CG6niqiL:2KzqWsayROxa6QDENuaG+ifL
TLSH:	7F15231507A47D77FF274270906FEA60AFFEC2294390362733A464EA2D53AD62B1417B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........

File Icon


Icon Hash:	0771ccf8d84d2907

Static PE Info

General

Entrypoint:	0x4030fa
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3CC [Sat Dec 5 22:50:52 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	26/09/2012 02:00:00 28/10/2015 00:59:59
Subject Chain	CN="Riverbed Technology, Inc.", OU=Product Marketing, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Riverbed Technology, Inc.", L=San Francisco, S=California, C=US
Version:	3
Thumbprint MD5:	B60719FF3ED25BCF2F558D12BE84DEE5
Thumbprint SHA-1:	C7584F696C2A2DA123C8B9F189D0227102A46FAB
Thumbprint SHA-256:	A6EAC3AB012CCD0E6BE59A42EED458739BCCB5727B1B95A1E6A577A248D87B58
Serial:	1402AEEF0D31BE743E73F6A7A960C4F4

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007FA524C39DC6h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F98h
call dword ptr [00407158h]
push 00409154h
push 0042E360h
call 00007FA524C39A79h
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007FA524C39A67h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007FA524C371DCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007FA524C3955Ah
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FA524C37235h
cmp cl, 00000020h
jne 00007FA524C371D8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FA524C371CCh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3f000	0x43a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xdd7c0	0x1ef8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4c	0x5e00	False	0.6697140957446809	data	6.440105549497952	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	False	0.43359375	data	5.046835307909969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	False	0.5849609375	data	4.801003752715384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x10000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3f000	0x43a8	0x4400	False	0.6177045036764706	data	5.846431450907402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3f358	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7213883677298312
RT_ICON	0x40400	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors	English	United States	0.6751066098081023
RT_ICON	0x412a8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.7851985559566786
RT_ICON	0x41b50	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.6560693641618497
RT_ICON	0x420b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8031914893617021
RT_ICON	0x42520	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.3118279569892473
RT_ICON	0x42808	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.36824324324324326
RT_DIALOG	0x42930	0xb4	data	English	United States	0.6111111111111112
RT_DIALOG	0x429e8	0x200	data	English	United States	0.3984375
RT_DIALOG	0x42be8	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x42ce0	0xa0	data	English	United States	0.60625
RT_DIALOG	0x42d80	0xee	data	English	United States	0.6260504201680672
RT_GROUP_ICON	0x42e70	0x68	data	English	United States	0.6634615384615384
RT_VERSION	0x42ed8	0x2b8	COM executable for DOS	English	United States	0.492816091954023
RT_MANIFEST	0x43190	0x215	XML 1.0 document, ASCII text, with very long lines (533), with no line terminators	English	United States	0.575984990619137

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 7, 2023 22:03:43.962311983 CET	1.1.1.1	192.168.2.6	0x7122	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 7, 2023 22:03:43.962311983 CET	1.1.1.1	192.168.2.6	0x7122	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• WinPcap_4_1_3.exe
• net.exe
• conhost.exe
• net1.exe

Click to jump to process

Memory Usage

• WinPcap_4_1_3.exe
• net.exe
• conhost.exe
• net1.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	22:03:23
Start date:	07/12/2023
Path:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\WinPcap_4_1_3.exe
Imagebase:	0x400000
File size:	915'128 bytes
MD5 hash:	A11A2F0CFE6D0B4C50945989DB6360CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	2
Start time:	22:03:34
Start date:	07/12/2023
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net start npf
Imagebase:	0x600000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	3
Start time:	22:03:34
Start date:	07/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	22:03:34
Start date:	07/12/2023
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 start npf
Imagebase:	0xe60000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true