Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
runzero-explorer-3.2.8-windows-amd64.exe

Overview

General Information

Sample Name:runzero-explorer-3.2.8-windows-amd64.exe
Analysis ID:736220
MD5:d0674fbefbacf4c3b9ca5d710753895d
SHA1:73e7fc7e44dac934242996da65a880bf69a8a064
SHA256:12ad8fd40637ec16d0bae840c3318d72c1b3d4d5cf835d06ebd56a15034e0181
Infos:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:49
Range:0 - 100

Signatures

Yara detected GuLoader
Registers a new ROOT certificate
Installs new ROOT certificates
Install WinpCap (used to filter network traffic)
Suspicious powershell command line found
Creates files in the system32 config directory
DLL side loading technique detected
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Creates files inside the driver directory
Queries the volume information (name, serial number etc) of a device
Drops certificate files (DER)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates files inside the system directory
PE file contains sections with non-standard names
Stores large binary data to the registry
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Modifies existing windows services
DLL planting / hijacking vulnerabilities found
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Creates driver files
Contains capabilities to detect virtual machines
Spawns drivers
Uses taskkill to terminate processes
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • runzero-explorer-3.2.8-windows-amd64.exe (PID: 3188 cmdline: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exe MD5: D0674FBEFBACF4C3B9CA5D710753895D)
    • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • cmd.exe (PID: 3016 cmdline: C:\Windows\system32\cmd.exe /c "taskkill /F /IM rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe 2>NUL" MD5: 9D59442313565C2E0860B88BF32B2277)
      • taskkill.exe (PID: 2132 cmdline: taskkill /F /IM rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe MD5: 3BBEE3AC757CA54F33710DF8FB9D47A7)
  • svchost.exe (PID: 5412 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc MD5: 9520A99E77D6196D0D09833146424113)
  • svchost.exe (PID: 5056 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc MD5: 9520A99E77D6196D0D09833146424113)
  • svchost.exe (PID: 6180 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 9520A99E77D6196D0D09833146424113)
  • SgrmBroker.exe (PID: 6232 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: C51AA0BB954EA45E85572E6CC29BA6F4)
  • svchost.exe (PID: 6272 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: 9520A99E77D6196D0D09833146424113)
  • svchost.exe (PID: 6348 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: 9520A99E77D6196D0D09833146424113)
  • rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe (PID: 6520 cmdline: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe MD5: D0674FBEFBACF4C3B9CA5D710753895D)
    • rumble-npcap-1721457150.exe (PID: 6644 cmdline: C:\Windows\TEMP\rumble-npcap-1721457150.exe "/S /loopback_support=yes /dlt_null=no /admin_only=yes /dot11_support=yes /vlan_support=yes /winpcap_mode=no" MD5: 0FAC5F07EAEF3FEEBEB9A910F99761E3)
      • NPFInstall.exe (PID: 6668 cmdline: "C:\Windows\TEMP\nsoAF78.tmp\NPFInstall.exe" -n -check_dll MD5: 36F0E125CB870AC28CDFF861A684F844)
        • conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • certutil.exe (PID: 6732 cmdline: certutil -addstore -f "Root" "C:\Windows\TEMP\nsoAF78.tmp\roots.p7b" MD5: 46B60DBFFA3D5E1D6647E47B29EF7F69)
        • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • certutil.exe (PID: 6812 cmdline: certutil -addstore -f "TrustedPublisher" "C:\Windows\TEMP\nsoAF78.tmp\signing.p7b" MD5: 46B60DBFFA3D5E1D6647E47B29EF7F69)
        • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • NPFInstall.exe (PID: 6868 cmdline: "C:\Program Files\Npcap\NPFInstall.exe" -n -c MD5: 36F0E125CB870AC28CDFF861A684F844)
        • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
        • pnputil.exe (PID: 6924 cmdline: pnputil.exe -e MD5: B2DBA298A747802266E7DC6D1EA262E6)
          • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • NPFInstall.exe (PID: 6988 cmdline: "C:\Program Files\Npcap\NPFInstall.exe" -n -iw MD5: 36F0E125CB870AC28CDFF861A684F844)
        • conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • NPFInstall.exe (PID: 7044 cmdline: "C:\Program Files\Npcap\NPFInstall.exe" -n -i MD5: 36F0E125CB870AC28CDFF861A684F844)
        • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 3016 cmdline: powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 3140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • powershell.exe (PID: 5344 cmdline: powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)" MD5: BCC5A6493E0641AA1E60CBF69469E579)
        • conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • sc.exe (PID: 6188 cmdline: sc.exe stop npcap MD5: E46C638010C25479F66BACBE8596CA76)
      • conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • sc.exe (PID: 2936 cmdline: sc.exe start npcap MD5: E46C638010C25479F66BACBE8596CA76)
      • conhost.exe (PID: 2808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • cmd.exe (PID: 1136 cmdline: C:\Windows\system32\cmd.exe /c taskkill /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe" MD5: 9D59442313565C2E0860B88BF32B2277)
      • conhost.exe (PID: 2716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
      • taskkill.exe (PID: 5552 cmdline: taskkill /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe" MD5: 3BBEE3AC757CA54F33710DF8FB9D47A7)
  • svchost.exe (PID: 7100 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: 9520A99E77D6196D0D09833146424113)
  • svchost.exe (PID: 7156 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: 9520A99E77D6196D0D09833146424113)
    • drvinst.exe (PID: 1884 cmdline: DrvInst.exe "4" "9" "C:\Program Files\Npcap\NPCAP.inf" "9" "405306be3" "00000000000001A0" "Service-0x0-3e7$\Default" "00000000000001AC" "208" "C:\Program Files\Npcap" MD5: 100997A8B475B1D1B173BE8941DFE1A6)
  • npcap.sys (PID: 4 cmdline: MD5: 08A2DEF8EFC2619DDABE13A041703AEA)
  • svchost.exe (PID: 3644 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: 9520A99E77D6196D0D09833146424113)
  • cleanup

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2248529939.00000000005F8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    • Privilege Escalation
    • Compliance
    • Networking
    • E-Banking Fraud
    • Spam, unwanted Advertisements and Ransom Demands
    • System Summary
    • Data Obfuscation
    • Persistence and Installation Behavior
    • Boot Survival
    • Hooking and other Techniques for Hiding and Protection
    • Malware Analysis System Evasion
    • Anti Debugging
    • HIPS / PFW / Operating System Protection Evasion
    • Language, Device and Operating System Detection
    • Lowering of HIPS / PFW / Operating System Security Settings

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeDLL: iphlpapi.dll

    Compliance

    barindex
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeDLL: iphlpapi.dll
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rumble Network Discovery Agent (cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd)
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeDirectory created: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd.log
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeDirectory created: C:\Program Files\Rumble
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeDirectory created: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\install.log
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\LICENSE
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\DiagReport.bat
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\DiagReport.ps1
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\FixInstall.bat
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\Uninstall.exe
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\NPFInstall.exe
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\npcap.sys
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\npcap.cat
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\npcap.inf
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\npcap_wfp.inf
    Source: C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exeDirectory created: C:\Program Files\Npcap\NPFInstall.log
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\CheckStatus.bat
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Program Files\Npcap\install.log
    Source: C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exeFile created: C:\Program Files\Npcap\NPFInstall.log
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic PE information: certificate valid
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247
    Source: unknownTCP traffic detected without corresponding DNS query: 13.248.161.247

    E-Banking Fraud

    barindex
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -addstore -f "Root" "C:\Windows\TEMP\nsoAF78.tmp\roots.p7b"startup_17
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -addstore -f "Root" "C:\Windows\TEMP\nsoAF78.tmp\roots.p7b"b_78344cb2
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\SysWOW64\wpcap.dll
    Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{eb0958b0-7f86-6349-b0db-2cc0cde251fe}\SETED79.tmpJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\Temp\nsoAF78.tmp\roots.p7bJump to dropped file
    Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{eb0958b0-7f86-6349-b0db-2cc0cde251fe}\npcap.cat (copy)Jump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\Temp\nsoAF78.tmp\signing.p7bJump to dropped file

    Spam, unwanted Advertisements and Ransom Demands

    barindex
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\SysWOW64\wpcap.dll
    Source: C:\Program Files\Npcap\NPFInstall.exeFile created: C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_98044d7e2e228ac8\netvwififlt.PNF
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile deleted: C:\Windows\Temp\nsoAF76.tmp
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\SysWOW64\wpcap.dll
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeSection loaded: airpcap.dll
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeSection loaded: airpcap.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Program Files\Npcap\npcap.sys
    Source: unknownDriver loaded: C:\Windows\System32\drivers\npcap.sys
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeFile read: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exe
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exe C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exe
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe 2>NUL"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe
    Source: unknownProcess created: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p -s DoSvc
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
    Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\Temp\rumble-npcap-1721457150.exe C:\Windows\TEMP\rumble-npcap-1721457150.exe "/S /loopback_support=yes /dlt_null=no /admin_only=yes /dot11_support=yes /vlan_support=yes /winpcap_mode=no"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exe "C:\Windows\TEMP\nsoAF78.tmp\NPFInstall.exe" -n -check_dll
    Source: C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -addstore -f "Root" "C:\Windows\TEMP\nsoAF78.tmp\roots.p7b"
    Source: C:\Windows\SysWOW64\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -addstore -f "TrustedPublisher" "C:\Windows\TEMP\nsoAF78.tmp\signing.p7b"
    Source: C:\Windows\SysWOW64\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Program Files\Npcap\NPFInstall.exe "C:\Program Files\Npcap\NPFInstall.exe" -n -c
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess created: C:\Windows\System32\pnputil.exe pnputil.exe -e
    Source: C:\Windows\System32\pnputil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Program Files\Npcap\NPFInstall.exe "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Program Files\Npcap\NPFInstall.exe "C:\Program Files\Npcap\NPFInstall.exe" -n -i
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "9" "C:\Program Files\Npcap\NPCAP.inf" "9" "405306be3" "00000000000001A0" "Service-0x0-3e7$\Default" "00000000000001AC" "208" "C:\Program Files\Npcap"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe 2>NUL"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exe "C:\Windows\TEMP\nsoAF78.tmp\NPFInstall.exe" -n -check_dll
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -addstore -f "Root" "C:\Windows\TEMP\nsoAF78.tmp\roots.p7b"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -addstore -f "TrustedPublisher" "C:\Windows\TEMP\nsoAF78.tmp\signing.p7b"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Program Files\Npcap\NPFInstall.exe "C:\Program Files\Npcap\NPFInstall.exe" -n -c
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Program Files\Npcap\NPFInstall.exe "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Program Files\Npcap\NPFInstall.exe "C:\Program Files\Npcap\NPFInstall.exe" -n -i
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess created: C:\Windows\System32\pnputil.exe pnputil.exe -e
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\System32\sc.exe sc.exe stop npcap
    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\System32\sc.exe sc.exe start npcap
    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe"
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\Temp\rumble-npcap-1721457150.exe C:\Windows\TEMP\rumble-npcap-1721457150.exe "/S /loopback_support=yes /dlt_null=no /admin_only=yes /dot11_support=yes /vlan_support=yes /winpcap_mode=no"
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\System32\sc.exe sc.exe stop npcap
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\System32\sc.exe sc.exe start npcap
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe"
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32
    Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe")
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = 'CHROME.EXE' )
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\TEMP\nsoAF76.tmp
    Source: classification engineClassification label: mal76.bank.troj.adwa.evad.winEXE@57/57@0/10
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile read: C:\Windows\Temp\nsoAF78.tmp\options.ini
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6824:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2808:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6996:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6932:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7052:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6756:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6824:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6224:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1520:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6676:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7052:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6756:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6876:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2716:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6996:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2716:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6224:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6676:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2808:120:WilError_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6876:120:WilError_02
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeMutant created: \BaseNamedObjects\NPCAP_INST_GUID
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1520:120:WilError_02
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeFile created: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd.log
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile written: C:\Windows\Temp\nsoAF78.tmp\options.ini
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeFile read: C:\Windows\System32\drivers\etc\hosts
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeFile read: C:\Windows\System32\drivers\etc\hosts
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rumble Network Discovery Agent (cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd)
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic file information: File size 79330800 > 1048576
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeDirectory created: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd.log
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeDirectory created: C:\Program Files\Rumble
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeDirectory created: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\install.log
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\LICENSE
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\DiagReport.bat
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\DiagReport.ps1
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\FixInstall.bat
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\Uninstall.exe
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\NPFInstall.exe
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\npcap.sys
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\npcap.cat
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\npcap.inf
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\npcap_wfp.inf
    Source: C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exeDirectory created: C:\Program Files\Npcap\NPFInstall.log
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDirectory created: C:\Program Files\Npcap\CheckStatus.bat
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic PE information: certificate valid
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1898000
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2cc2400
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x519c00
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic PE information: Raw size of .reloc is bigger than: 0x100000 < 0x12ca00
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 0000000E.00000002.2248529939.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
    Source: runzero-explorer-3.2.8-windows-amd64.exeStatic PE information: section name: .symtab

    Persistence and Installation Behavior

    barindex
    Source: C:\Windows\SysWOW64\certutil.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Blob
    Source: C:\Windows\SysWOW64\certutil.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Blob
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\.rumble
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\.rumble\cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd.agentid
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\SysWOW64\NpcapHelper.exeJump to dropped file
    Source: C:\Program Files\Npcap\NPFInstall.exeFile created: C:\Windows\system32\DRIVERS\npcap.sys (copy)Jump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exeJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\System32\Npcap\WlanHelper.exeJump to dropped file
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeFile created: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\Temp\nsoAF78.tmp\nsExec.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\Temp\nsoAF78.tmp\InstallOptions.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\System32\wpcap.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\System32\Packet.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Program Files\Npcap\Uninstall.exeJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\SysWOW64\Packet.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\SysWOW64\Npcap\WlanHelper.exeJump to dropped file
    Source: C:\Program Files\Npcap\NPFInstall.exeFile created: C:\Windows\System32\drivers\SETB038.tmpJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\System32\NpcapHelper.exeJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\Temp\nsoAF78.tmp\System.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\SysWOW64\wpcap.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\SysWOW64\NpcapHelper.exeJump to dropped file
    Source: C:\Program Files\Npcap\NPFInstall.exeFile created: C:\Windows\system32\DRIVERS\npcap.sys (copy)Jump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exeJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\System32\Npcap\WlanHelper.exeJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\Temp\nsoAF78.tmp\nsExec.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\Temp\nsoAF78.tmp\InstallOptions.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\System32\wpcap.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\System32\Packet.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\SysWOW64\Packet.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\SysWOW64\Npcap\WlanHelper.exeJump to dropped file
    Source: C:\Program Files\Npcap\NPFInstall.exeFile created: C:\Windows\System32\drivers\SETB038.tmpJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\System32\NpcapHelper.exeJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\Temp\nsoAF78.tmp\System.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Windows\SysWOW64\wpcap.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeFile created: C:\Program Files\Npcap\install.log
    Source: C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exeFile created: C:\Program Files\Npcap\NPFInstall.log
    Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\System32\sc.exe sc.exe stop npcap
    Source: C:\Windows\SysWOW64\certutil.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3 Blob
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Windows\System32\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Windows\System32\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\pnputil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\pnputil.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Windows\System32\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Windows\System32\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Product FROM Win32_BaseBoard
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exe TID: 6648Thread sleep count: 31 > 30
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exe TID: 6648Thread sleep count: 224 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3720Thread sleep count: 2198 > 30
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exe TID: 6648Thread sleep count: 336 > 30
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exe TID: 6648Thread sleep time: -33600s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2996Thread sleep time: -4611686018427385s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3308Thread sleep count: 6506 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5924Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 780Thread sleep count: 9112 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1088Thread sleep time: -1844674407370954s >= -30000s
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDropped PE file which has not been started: C:\Windows\SysWOW64\NpcapHelper.exeJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDropped PE file which has not been started: C:\Windows\System32\Npcap\WlanHelper.exeJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDropped PE file which has not been started: C:\Windows\System32\Packet.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Packet.dllJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDropped PE file which has not been started: C:\Program Files\Npcap\Uninstall.exeJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDropped PE file which has not been started: C:\Windows\SysWOW64\Npcap\WlanHelper.exeJump to dropped file
    Source: C:\Program Files\Npcap\NPFInstall.exeDropped PE file which has not been started: C:\Windows\System32\drivers\SETB038.tmpJump to dropped file
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeDropped PE file which has not been started: C:\Windows\System32\NpcapHelper.exeJump to dropped file
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2198
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6506
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9112
    Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor
    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess information queried: ProcessInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformation
    Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess token adjusted: Debug
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeProcess token adjusted: Debug
    Source: C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeSection loaded: C:\Windows\Temp\nsoAF78.tmp\System.dll
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeSection loaded: C:\Windows\Temp\nsoAF78.tmp\System.dll
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeSection loaded: C:\Windows\Temp\nsoAF78.tmp\InstallOptions.dll
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeSection loaded: C:\Windows\Temp\nsoAF78.tmp\InstallOptions.dll
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeSection loaded: C:\Windows\Temp\nsoAF78.tmp\nsExec.dll
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeSection loaded: C:\Windows\Temp\nsoAF78.tmp\nsExec.dll
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeSection loaded: C:\Windows\Temp\nsoAF78.tmp\nsExec.dll
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeSection loaded: C:\Windows\Temp\nsoAF78.tmp\nsExec.dll
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -windowstyle hidden -noninteractive -command "scheduledtasks\register-scheduledtask -force -taskname 'npcapwatchdog' -description 'ensure npcap service is configured to start at boot' -action (scheduledtasks\new-scheduledtaskaction -execute 'c:\program files\npcap\checkstatus.bat') -principal (scheduledtasks\new-scheduledtaskprincipal -userid 'system' -logontype serviceaccount) -trigger (scheduledtasks\new-scheduledtasktrigger -atstartup) -settings (scheduledtasks\new-scheduledtasksettingsset -allowstartifonbatteries -compatibility win8)"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -windowstyle hidden -noninteractive -command "scheduledtasks\register-scheduledtask -force -taskname 'npcapwatchdog' -description 'ensure npcap service is configured to start at boot' -action (scheduledtasks\new-scheduledtaskaction -execute 'c:\program files\npcap\checkstatus.bat') -principal (scheduledtasks\new-scheduledtaskprincipal -userid 'system' -logontype serviceaccount) -trigger (scheduledtasks\new-scheduledtasktrigger -atstartup) -settings (scheduledtasks\new-scheduledtasksettingsset -allowstartifonbatteries -compatibility win8)"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /F /IM rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe 2>NUL"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exe "C:\Windows\TEMP\nsoAF78.tmp\NPFInstall.exe" -n -check_dll
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -addstore -f "Root" "C:\Windows\TEMP\nsoAF78.tmp\roots.p7b"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\certutil.exe certutil -addstore -f "TrustedPublisher" "C:\Windows\TEMP\nsoAF78.tmp\signing.p7b"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Program Files\Npcap\NPFInstall.exe "C:\Program Files\Npcap\NPFInstall.exe" -n -c
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Program Files\Npcap\NPFInstall.exe "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Program Files\Npcap\NPFInstall.exe "C:\Program Files\Npcap\NPFInstall.exe" -n -i
    Source: C:\Program Files\Npcap\NPFInstall.exeProcess created: C:\Windows\System32\pnputil.exe pnputil.exe -e
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\Temp\rumble-npcap-1721457150.exe C:\Windows\TEMP\rumble-npcap-1721457150.exe "/S /loopback_support=yes /dlt_null=no /admin_only=yes /dot11_support=yes /vlan_support=yes /winpcap_mode=no"
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\System32\sc.exe sc.exe stop npcap
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\System32\sc.exe sc.exe start npcap
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
    Source: C:\Windows\Temp\rumble-npcap-1721457150.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe"
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeQueries volume information: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe VolumeInformation
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeQueries volume information: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe VolumeInformation
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeQueries volume information: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exe VolumeInformation
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeQueries volume information: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exe VolumeInformation
    Source: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exeQueries volume information: C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exe VolumeInformation
    Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{eb0958b0-7f86-6349-b0db-2cc0cde251fe}\npcap.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeQueries volume information: C:\Windows\System32\sc.exe VolumeInformation
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeQueries volume information: C:\Windows\System32\sc.exe VolumeInformation
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeQueries volume information: C:\Windows\System32\sc.exe VolumeInformation
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeQueries volume information: C:\Windows\System32\sc.exe VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.18362.387.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.18362.418.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.18362.418.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.18362.418.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.18362.418.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.18362.418.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.18362.418.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformation
    Source: C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
    Source: C:\Windows\System32\svchost.exeWMI Queries: AntiVirusProduct.instanceGuid=&quot;{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}&quot;
    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
    Source: C:\Windows\System32\svchost.exeWMI Queries: AntiVirusProduct.instanceGuid=&quot;{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}&quot;
    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
    Source: C:\Windows\System32\svchost.exeWMI Queries: AntiVirusProduct.instanceGuid=&quot;{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}&quot;
    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
    Source: C:\Windows\System32\svchost.exeWMI Queries: AntiVirusProduct.instanceGuid=&quot;{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}&quot;
    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
    Source: C:\Windows\System32\svchost.exeWMI Queries: AntiVirusProduct.instanceGuid=&quot;{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}&quot;

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts121
    Windows Management Instrumentation    		32
    Windows Service    		32
    Windows Service    		132
    Masquerading    		1
    Network Sniffing    		4
    Security Software Discovery    		Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts1
    Command and Scripting Interpreter    		1
    LSASS Driver    		11
    Process Injection    		1
    Disable or Modify Tools    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts1
    Service Execution    		11
    DLL Side-Loading    		1
    LSASS Driver    		1
    Modify Registry    		Security Account Manager51
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local Accounts1
    PowerShell    		1
    DLL Search Order Hijacking    		11
    DLL Side-Loading    		51
    Virtualization/Sandbox Evasion    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon Script1
    DLL Search Order Hijacking    		11
    Process Injection    		LSA Secrets1
    Remote System Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Install Root Certificate    		Cached Domain Credentials2
    File and Directory Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items11
    DLL Side-Loading    		DCSync1
    Network Sniffing    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
    DLL Search Order Hijacking    		Proc Filesystem124
    System Information Discovery    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
    File Deletion    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Screenshots

    Download Video

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    runzero-explorer-3.2.8-windows-amd64.exe0%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files\Npcap\Uninstall.exe0%ReversingLabs
    C:\Program Files\Npcap\Uninstall.exe0%VirustotalBrowse
    C:\Program Files\Npcap\Uninstall.exe0%MetadefenderBrowse
    C:\Windows\SysWOW64\NpcapHelper.exe0%ReversingLabs
    C:\Windows\SysWOW64\NpcapHelper.exe0%VirustotalBrowse
    C:\Windows\SysWOW64\NpcapHelper.exe0%MetadefenderBrowse
    C:\Windows\SysWOW64\Npcap\WlanHelper.exe0%ReversingLabs
    C:\Windows\SysWOW64\Npcap\WlanHelper.exe0%VirustotalBrowse
    C:\Windows\SysWOW64\Npcap\WlanHelper.exe0%MetadefenderBrowse
    C:\Windows\SysWOW64\Packet.dll0%ReversingLabs
    C:\Windows\SysWOW64\Packet.dll0%VirustotalBrowse
    C:\Windows\SysWOW64\wpcap.dll0%ReversingLabs
    C:\Windows\SysWOW64\wpcap.dll0%MetadefenderBrowse
    C:\Windows\System32\NpcapHelper.exe0%ReversingLabs
    C:\Windows\System32\NpcapHelper.exe0%MetadefenderBrowse
    C:\Windows\System32\Npcap\WlanHelper.exe0%ReversingLabs
    C:\Windows\System32\Npcap\WlanHelper.exe0%MetadefenderBrowse
    C:\Windows\System32\Packet.dll0%ReversingLabs
    C:\Windows\System32\drivers\SETB038.tmp0%ReversingLabs
    C:\Windows\System32\wpcap.dll0%ReversingLabs
    C:\Windows\System32\wpcap.dll0%MetadefenderBrowse
    C:\Windows\Temp\nsoAF78.tmp\InstallOptions.dll0%ReversingLabs
    C:\Windows\Temp\nsoAF78.tmp\InstallOptions.dll0%MetadefenderBrowse
    C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exe0%ReversingLabs
    C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exe0%MetadefenderBrowse
    C:\Windows\Temp\nsoAF78.tmp\System.dll0%ReversingLabs
    C:\Windows\Temp\nsoAF78.tmp\System.dll0%MetadefenderBrowse
    C:\Windows\Temp\nsoAF78.tmp\nsExec.dll0%ReversingLabs
    C:\Windows\Temp\nsoAF78.tmp\nsExec.dll0%MetadefenderBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    13.248.161.247
    		unknownUnited States
    		16509AMAZON-02USfalse
    169.254.169.254
    		unknownReserved
    		6966USDOSUSfalse

    General Information

    Joe Sandbox Version:36.0.0 Rainbow Opal
    Analysis ID:736220
    Start date and time:2022-11-02 18:38:28 +01:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:runzero-explorer-3.2.8-windows-amd64.exe
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
    Number of analysed new started processes analysed:47
    Number of new started drivers analysed:1
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    Analysis Mode:stream
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal76.bank.troj.adwa.evad.winEXE@57/57@0/10
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, usocoreworker.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 20.190.159.71, 40.126.31.71, 20.190.159.73, 20.190.159.68, 40.126.31.69, 20.190.159.4, 20.190.159.2, 20.190.159.0
    • Excluded domains from analysis (whitelisted): fs.microsoft.com, prda.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
    • Report size getting too big, too many NtDeviceIoControlFile calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: C:\Windows\SysWOW64\wpcap.dll

    Created / dropped Files

    C:\Program Files\Npcap\CheckStatus.bat

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:DOS batch file, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):815
    Entropy (8bit):5.558307313466295
    Encrypted:false
    SSDEEP:
    MD5:CA8A429838083C351839C258679BC264
    SHA1:40E20B9CDDE036E5078ABC2467E8783DFFFEC199
    SHA-256:102EFB3C86BCD94BF10DECA9E787BA3C1BB2075279317413A85B785FB519C789
    SHA-512:B8F50791440832D7D469749213C303C9115144112C0631273EC095D2844D01CB62057F406119460069041A6138341D42A7CAA0C34A44185DD75E51E2449445F3
    Malicious:true
    Reputation:low
    Preview:@echo off....rem Make sure we can find where Npcap is installed..set KEY_NAME=HKLM\Software\WOW6432Node\Npcap..for /F "usebackq tokens=1,2*" %%A IN (`reg query "%KEY_NAME%" /ve 2^>nul ^| find "REG_SZ"`) do (...set NPCAP_DIR=%%C..)..if defined NPCAP_DIR (goto DO_CHECK)..set KEY_NAME=HKLM\Software\Npcap..for /F "usebackq tokens=1,2*" %%A IN (`reg query "%KEY_NAME%" /ve 2^>nul ^| find "REG_SZ"`) do (...set NPCAP_DIR=%%C..)..if defined NPCAP_DIR (goto DO_CHECK) else (goto ABORT)....:DO_CHECK....rem If start type is not SYSTEM_START, we need to fix that...for /F "usebackq tokens=1,4" %%A in (`sc.exe qc npcap`) do (...if %%A == START_TYPE (... if NOT %%B == SYSTEM_START (....goto FIXINSTALL... )...)..)....goto ABORT....:FIXINSTALL.."%NPCAP_DIR%\FixInstall.bat"..exit /b %ERRORLEVEL%....:ABORT..exit /b 0..

    C:\Program Files\Npcap\DiagReport.bat

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:DOS batch file, ASCII text
    Category:dropped
    Size (bytes):1042
    Entropy (8bit):5.0900802146558295
    Encrypted:false
    SSDEEP:
    MD5:606CAE326279E9A530F0FDBFAFA09682
    SHA1:5A7F3465E41AAF1865495557CC5D29991160E730
    SHA-256:FB5350915D7F52ACFCEC5F04A661B5673D9D62AD6C93D3DE16BA67D337B49856
    SHA-512:B3A422CBBDD61921CEE48630753BD7263BDFCFAE09CCF41CE99876AE1128770D049CA47401FC21F7F674158CEA107283E68B1198CA94E30B3C7C203B41BE8C5B
    Malicious:false
    Reputation:low
    Preview:@echo off..whoami /Groups | find "S-1-16-12288" >NUL.if ERRORLEVEL 1 (. rem This tools must run with administrator permissions. rem It will popup the UAC dialog, please click [Yes] to continue.. echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs". echo UAC.ShellExecute "%~s0", "%*", "", "runas", 1 >> "%temp%\getadmin.vbs". "%temp%\getadmin.vbs". exit /b 2.)..set dir=%~dp0.set scriptPath=%dir%DiagReport.ps1.for /f "tokens=*" %%a in ('powershell Get-ExecutionPolicy') do (.set originPolicy=%%a.).powershell Set-ExecutionPolicy 0..rem this call only works for Administrator.rem powershell %scriptPath%..rem This call works also for normal users.rem "No Exit" version:.rem powershell -NoExit -noprofile -command "&{start-process powershell -ArgumentList '-NoExit -noprofile -file \"%scriptPath%\"' -verb RunAs}".rem "Exit" version:.powershell -noprofile -command "&{start-process powershell -ArgumentList '-noprofile -file \"%scriptPath%\"' -verb RunAs}"..powershell Set-

    C:\Program Files\Npcap\DiagReport.ps1

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators
    Category:dropped
    Size (bytes):18078
    Entropy (8bit):5.99702041560022
    Encrypted:false
    SSDEEP:
    MD5:0B4DF7D19ADE75BEE930D54BE31AC09C
    SHA1:5481FCFCC647813CA6BBC97E90A76490FEDAF465
    SHA-256:27EB36CB165C6EDD2F55B72A6856E4BF32AE2FA6CADFFCD267F5DF96EEA0B011
    SHA-512:D00D9109084CE1CDF594A17D99F925334F8BA782A4B7AFF0EE776C259B09C02DDAE608ACB6501C5E30980D20000110B6AC16ECC3CE0AA5ABA46B7CF1E6D60DF0
    Malicious:false
    Reputation:low
    Preview:.#.# Deploy.ps1 - The diagnostic report script for Npcap.# Author: Yang Luo.# Date: August 29, 2016.#..$report_file_name = $MyInvocation.MyCommand.Definition.Replace(".ps1", "-" + (Get-Date -Format 'yyyyMMdd-HHmmss') + ".txt")..# Delete the old report if exists..if (Test-Path $report_file_name).{. Remove-Item $report_file_name.}..$(..# $ErrorActionPreference="SilentlyContinue".# Stop-Transcript | Out-Null.# $ErrorActionPreference = "Continue".# Start-Transcript -IncludeInvocationHeader -Path $report_file_name..function write_report($text).{. # Write-Host $text. # Write-Output $text. # $text | Out-File -Append -FilePath $report_file_name. $text. # $text >> $report_file_name. # Write-Output $text | Out-File -Append -FilePath $report_file_name.}..function get_script_bit().{. if ([IntPtr]::Size -eq 8). {. '64-bit'. }. else. {. '32-bit'. }.}..function get_os_bit().{. return (Get-WmiObject Win32_OperatingSystem).OSArchitecture.}..func

    C:\Program Files\Npcap\FixInstall.bat

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:DOS batch file, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):2513
    Entropy (8bit):5.340229721526993
    Encrypted:false
    SSDEEP:
    MD5:3DCB581D39D9349A906368B77A4CEDFA
    SHA1:6BD82932B75608459DA4F4D544AA8EA1DA9EEC2E
    SHA-256:C6158E40BDFD88E892EE6C4DA3A16A037EDF2CC77DC008CBD8FBEB44C643DDDA
    SHA-512:AE044D5EDB81B107092238A1B1BB0D4F1F76D2CE48730E1159A8688524DCC7702AC693069AD76EE4A64FBE772E6C7C08EDE3B93333DCC0D9A03FD25046D54EF6
    Malicious:false
    Reputation:low
    Preview:@echo off..rem Start type auto will start the Npcap service at boot. Set this to "demand" for demand start instead...set START_TYPE=system....setlocal ENABLEEXTENSIONS....rem Get the installed configuration..set KEY_NAME=HKLM\SYSTEM\CurrentControlSet\Services\npcap\Parameters..for /F "usebackq tokens=1,2*" %%A IN (`reg query "%KEY_NAME%" /v "Dot11Support" 2^>nul ^| find "Dot11Support"`) do (...set Dot11Support=%%C..)..echo Dot11Support = %Dot11Support%..for /F "usebackq tokens=1,2*" %%A IN (`reg query "%KEY_NAME%" /v "LoopbackAdapter" 2^>nul ^| find "LoopbackAdapter"`) do (...set LoopbackAdapter=%%C..)..echo LoopbackAdapter = %LoopbackAdapter%....rem Make sure we can find where Npcap is installed..set KEY_NAME=HKLM\Software\WOW6432Node\Npcap..for /F "usebackq tokens=1,2*" %%A IN (`reg query "%KEY_NAME%" /ve 2^>nul ^| find "REG_SZ"`) do (...set NPCAP_DIR=%%C..)..if defined NPCAP_DIR (goto DO_FIX)..set KEY_NAME=HKLM\Software\Npcap..for /F "usebackq tokens=1,2*" %%A IN (`reg query "%KEY_N

    C:\Program Files\Npcap\LICENSE

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:ASCII text
    Category:dropped
    Size (bytes):11547
    Entropy (8bit):4.958602504890314
    Encrypted:false
    SSDEEP:
    MD5:03A523A83A83007F9C8989D3DAD893A4
    SHA1:F82E48F3A58E692E31B2EE2103601B580130EAFE
    SHA-256:112D17C43097AE1740B7CB231850DA597BEEB02A845C566573504B2FBAB233E8
    SHA-512:DB205D9EF78164FF51A30EBC3AEAFA5E920A0131D430E683E74B67260A7E979307C6C2D7C767ED8CC5A750216A6D3D18A8A4E17E8FA313DC02C911914C1579D5
    Malicious:false
    Reputation:low
    Preview:.NPCAP COPYRIGHT / END USER LICENSE AGREEMENT..Npcap (https://npcap.com) is a Windows packet sniffing driver and.library and is copyright (c) 2013-2022 by Nmap Software LLC ("The Nmap.Project"). All rights reserved...Even though Npcap source code is publicly available for review, it is.not open source software and may not be redistributed or used in other.software without special permission from the Nmap Project. The.standard (free) version is usually limited to installation on five.systems. We fund the Npcap project by selling two types of commercial.licenses to a special Npcap OEM edition:..1) The Npcap OEM Redistribution License allows companies distribute.Npcap OEM within their products. Licensees generally use the Npcap OEM.silent installer, ensuring a seamless experience for end.users. Licensees may choose between a perpetual unlimited license or.a quarterly term license, along with options for commercial support and.updates. Prices and details: https://npcap.com/oem/redist.htm

    C:\Program Files\Npcap\NPFInstall.log

    Download File
    Process:C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
    Category:modified
    Size (bytes):7482
    Entropy (8bit):5.082767960806323
    Encrypted:false
    SSDEEP:
    MD5:70BC15DE26007BE6C1E0C7A641F39E83
    SHA1:1EABD78E974C21FE048F868313F88C3CF86E7CB6
    SHA-256:9FE2D82DFF97718B122E7E5EF83D847F41E66BC3123C1A0CFD47006BA65E0BEF
    SHA-512:C273569C9F2BD98D384A27AB117615F4595AA9AFFE252C5CA826AE98A6C66BBE70456D143B0F8544621FFD61E677BC198EA28FBA7974C3C102F2CFE2AC6C50AD
    Malicious:false
    Reputation:low
    Preview:.[00001A10] 2022-11-02 18:39:40 --> wmain..[00001A10] 2022-11-02 18:39:40 _tmain: executing, argv[1] = -n...[00001A10] 2022-11-02 18:39:40 _tmain: executing, argv[2] = -check_dll...[00001A10] 2022-11-02 18:39:40 --> getInUseProcesses..[00001A10] 2022-11-02 18:39:40 --> enumProcesses..[00001A10] 2022-11-02 18:39:40 --> getNpcapPIDs..[00001A10] 2022-11-02 18:39:40 <-- getNpcapPIDs..[00001A10] 2022-11-02 18:39:41 enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = System, dwProcessID = 4...[00001A10] 2022-11-02 18:39:41 enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = Registry, dwProcessID = 88...[00001A10] 2022-11-02 18:39:41 enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = smss.exe, dwProcessID = 332...[00001A10] 2022-11-02 18:39:41 enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = csrss.exe, dwProcessID = 412...[00001A10] 2022-11-02 18:39:41 enumDLLs::OpenProcess: error, errCode =

    C:\Program Files\Npcap\Uninstall.exe

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
    Category:dropped
    Size (bytes):1081352
    Entropy (8bit):6.464985055360759
    Encrypted:false
    SSDEEP:
    MD5:EAFE97644E1F8D030CF3107AAE393B14
    SHA1:D8008A9C6B165F8389AF9546992EB3BD96329C00
    SHA-256:69B1D5911044809EF5E585C32C02760B06D2EAEEC340C59BFD65D82F47542C68
    SHA-512:87E1D841F38AA34860703FA0F818113C3F08EA47F309C295E399F9B3815F512C8CD3263FF2792B779C87C5EF87DF675D3EF19B13CB2F3A773C906E132709DC77
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Virustotal, Detection: 0%, Browse
    • Antivirus: Metadefender, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1(..PF..PF..PF.*_...PF..PG.APF.*_...PF.sv..PF..V@..PF.Rich.PF.........PE..L...2..`.................p..........F9............@..........................`.......N....@................................. ...........xD..........8T...+...........................................................................................text....o.......p.................. ..`.rdata...............t..............@..@.data...............................@....ndata...................................rsrc...xD.......F..................@..@................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\Npcap\install.log

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:data
    Category:dropped
    Size (bytes):26078
    Entropy (8bit):3.717801195169967
    Encrypted:false
    SSDEEP:
    MD5:68360894A6A9C7F9459CC2912647B510
    SHA1:2907FA8C5D8DAE87EF95D4264F4061148E423EC5
    SHA-256:55B3DA39FC658E623D430A9DAA117450B2E056C1EB63EFCD063781C409A90E2B
    SHA-512:6D7659933078882C346F8688A6D030C2C459E1911EA9A60FE24D92E4785D4BFE4D77A6DF4863CD1C9214BA09B7117E122D774F39CF250A1D2B15348CE48E1C77
    Malicious:false
    Reputation:low
    Preview:C.a.l.l.:. .7.9.5.....S.e.t.F.l.a.g.:. .2.=.0.....C.a.l.l.:. .1.9.4.0.....S.e.t.F.l.a.g.:. .1.3.=.6.....F.i.l.e.:. .o.v.e.r.w.r.i.t.e.f.l.a.g.=.1.,. .a.l.l.o.w.s.k.i.p.f.i.l.e.s.f.l.a.g.=.0.,. .n.a.m.e.=.".C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.n.s.o.A.F.7.8...t.m.p.\.S.y.s.t.e.m...d.l.l.".....F.i.l.e.:. .s.k.i.p.p.e.d.:. .".C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.n.s.o.A.F.7.8...t.m.p.\.S.y.s.t.e.m...d.l.l.". .(.o.v.e.r.w.r.i.t.e.f.l.a.g.=.1.).....C.a.l.l.:. .1.9.4.0.....S.e.t.F.l.a.g.:. .1.3.=.6.....F.i.l.e.:. .o.v.e.r.w.r.i.t.e.f.l.a.g.=.1.,. .a.l.l.o.w.s.k.i.p.f.i.l.e.s.f.l.a.g.=.0.,. .n.a.m.e.=.".C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.n.s.o.A.F.7.8...t.m.p.\.S.y.s.t.e.m...d.l.l.".....F.i.l.e.:. .s.k.i.p.p.e.d.:. .".C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.n.s.o.A.F.7.8...t.m.p.\.S.y.s.t.e.m...d.l.l.". .(.o.v.e.r.w.r.i.t.e.f.l.a.g.=.1.).....J.u.m.p.:. .8.8.9.....C.a.l.l.:. .1.9.4.0.....S.e.t.F.l.a.g.:. .1.3.=.6.....F.i.l.e.:. .o.v.e.r.w.r.i.t.e.f.l.a.g.=.1.,. .a.l.l.o.w.s.k.i.p.f.i.l.e.s.f.l.a.g.=.0.,. .n.a.m.e.

    C:\Program Files\Npcap\npcap_wfp.inf

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:Windows setup INFormation
    Category:dropped
    Size (bytes):2433
    Entropy (8bit):4.948769845014529
    Encrypted:false
    SSDEEP:
    MD5:4B72B37D904CBF298FB8351CC80A048E
    SHA1:F77357BD263F88ACDB1B5CAD300E7B116A1C2EE7
    SHA-256:953B89B39C78DAFB27A05F27BC8FAA97C70F2A6EC3BC2F81070A46B85D305F08
    SHA-512:E63D013CA9BADC2D40634C6BDC1629ADBADE70A65753F317C7E7AC09078AD299105AD6E37FB18A8A6A0B0D994A2EA01C32A55CBC9A19B53466CD49603EE81181
    Malicious:false
    Reputation:low
    Preview:;-------------------------------------------------------------------------..; NPCAP_WFP.INF -- Npcap NDIS 6.x LightWeight Filter Driver..;..; Copyright (c) 2022, Insecure.Com LLC. All rights reserved...;------------------------------------------------------------------------..[version]..Signature = "$Windows NT$"..Class = WFPCALLOUTS..ClassGUID = {57465043-616C-6C6F-7574-5F636C617373}..CatalogFile = %NPF_DriverName%.cat..Provider = %Insecure%..DriverVer = 08/19/2022,14.4.10.5..PnpLockDown=1......[Manufacturer]..%Insecure%=Insecure,NTx86,NTARM64,NTamd64....[Insecure.NTx86]..%NPF_Desc%=Install, INSECURE_NPCAP....[Insecure.NTARM64]..%NPF_Desc%=Install, INSECURE_NPCAP....[Insecure.NTamd64]..%NPF_Desc%=Install, INSECURE_NPCAP....;-------------------------------------------------------------------------..; Installation Section..;-------------------------------------------------------------------------..[Install]..AddReg=Inst_Ndi..Characteristics=0x40000..Net

    C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe

    Download File
    Process:C:\Users\alfredo\Desktop\runzero-explorer-3.2.8-windows-amd64.exe
    File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):79330800
    Entropy (8bit):6.203520187548798
    Encrypted:false
    SSDEEP:
    MD5:D0674FBEFBACF4C3B9CA5D710753895D
    SHA1:73E7FC7E44DAC934242996DA65A880BF69A8A064
    SHA-256:12AD8FD40637EC16D0BAE840C3318D72C1B3D4D5CF835D06EBD56A15034E0181
    SHA-512:17E700B3F4CCEB3439F7E6EEF76AE12103490F6DA8FEB5D0FF34235618FCD91E1E9A0C43B25DA9352C305D7BF35BFB7586583D516069AB3CB3AF4E90ECE730E3
    Malicious:true
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...........Q...............@..............................@%..........`... ..............................................0....... %.`............8...E...@..0...................................................`.U.P............................text...f........................... ..`.rdata...#.......$..................@..@.data....j....U...Q...U.............@....idata.......0.......F..............@....reloc..0....@.......L..............@..B.symtab.......%........................B.rsrc...`.... %.. ..................@..@........................................................................................................................................................................................................................................................................................................................................

    C:\Windows\INF\oem6.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x2018 "Signature", at 0x68 WinDirPath
    Category:dropped
    Size (bytes):12276
    Entropy (8bit):3.678124449370337
    Encrypted:false
    SSDEEP:
    MD5:2BD206A2B5ADF0BC1578BCB54095E291
    SHA1:E49E710667CBAE5E78196877EF3AAC3563102CA6
    SHA-256:0268E5D9B57B3ED1C329FB691BC299403F2395D634F54E4A0FBAFF8B5EF87AF0
    SHA-512:22BA818ADD7A4D585B906C78B2B8C197C60DB4535DD16C78BB85B935A3174E6AA884517456421BE553738AF2CB80D743115BD14D84586784BBCA5BC7A6401134
    Malicious:false
    Reputation:low
    Preview:................P.... ...4. ........................h!.......#.......&......H+..h................/......C.:.\.W.i.n.d.o.w.s.....h...........................................................................\.......P...........................................P...4...................0...........................t...........................................|.......0...T...........................................................................X...........p.......................................p.......X...............................................................................L...............................................................l...............................................H.......0.......................................................0...................................................0.......................................................<...h...........................................$...................................................................4...|...............

    C:\Windows\INF\setupapi.dev.log

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Generic INItialization configuration [BeginLog]
    Category:dropped
    Size (bytes):114945
    Entropy (8bit):5.193824257091524
    Encrypted:false
    SSDEEP:
    MD5:D8E815BCC7A06A6ABAA4ADB266D510B8
    SHA1:B812685786E311446EE940CAEAD4DCD39F3EAE5F
    SHA-256:603582F8AF22D6AE1EF15777555392CCCDB8782E8A8937B0B92FD9DC78509879
    SHA-512:5F16294CC86624EA6E3B56276CDABB93BBEB7CFE2DC1668075BD75DB287735A14D289CAADF29DCF97B60F1BC55BB17F802902D1A3B848431DF03FA77C30B756A
    Malicious:false
    Reputation:low
    Preview:[Device Install Log].. OS Version = 10.0.18363.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2021/05/27 07:15:46.500]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2021/05/27 07:18:03.852.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.18362.1.. inf: Catalog File: prnms009.cat.. pol: {Driver package policy check} 07:18:03.883.. pol: {Driver package policy check - exit(0x00000000)} 07:18:03.883.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 07:18:03.915.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 07:18:03.915.. inf: Driver package 'prnms009.Inf' is

    C:\Windows\Logs\NetSetup\service.0.etl

    Download File
    Process:C:\Windows\System32\svchost.exe
    File Type:data
    Category:dropped
    Size (bytes):1310720
    Entropy (8bit):0.27495651843178437
    Encrypted:false
    SSDEEP:
    MD5:44CB5AFC2EE0E964F08DB86727EC3D4C
    SHA1:BB43AEBA0D63D40D4BA382149A4D339D8291AB58
    SHA-256:073F38AEFAC1D75116B3F1A1039B3DA54EA5F756F1B4AEFE42622574E237A938
    SHA-512:E40D33B43C70A3764496ED4AE23DD80F4E4E3EEB0663857CC909C0F042CA670F5FD03025B15426E8AED7AFE95D763DC826B55574B255B596EB79CE21D1338745
    Malicious:false
    Reputation:low
    Preview:....8...8.......................................X...!.......................................S...................G.......,*....Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................@.<..S..............S..........N.e.t.C.f.g.T.r.a.c.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.N.e.t.S.e.t.u.p.\.s.e.r.v.i.c.e...0...e.t.l.........P.P.............S..............................................................:.B.....S..18362.1.amd64fre.19h1_release.190318-1202...........5.@.....S....+...D.2.........NetSetupShim.pdb.b......7.@.....S...E..6Y...T..".o....NetSetupEngine.pdb......4.@.....S..w...N.<...)........NetSetupApi.pdb.........4.@.....S....h./..........Y....NetSetupSvc.pdb.....................................................................................................................................................

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp

    Download File
    Process:C:\Windows\System32\svchost.exe
    File Type:Unicode text, UTF-8 (with BOM) text
    Category:dropped
    Size (bytes):2583
    Entropy (8bit):4.9697986369741445
    Encrypted:false
    SSDEEP:
    MD5:B85E9A4702D1EEE70CA0B91AB0BD8110
    SHA1:9BE136BF0625D12E69B5F440892C67DD76ED2363
    SHA-256:4C365648A2AF6EA1B81DF89BD9BA18082D9475218CF609C0E72EAB72157C4F9C
    SHA-512:66931D4BD97531B12609E11A78F81BEA25215C0CFC83DDC42290B27E6A808D7702DE6585D826788763BC9823C038BCB904109FCAD10731D28E58EC10BEFE3026
    Malicious:false
    Reputation:low
    Preview:.{. "AFSEnvironment" : 0,. "AFSUrl" : "https://activity.windows.com",. "AccountSettings" : [],. "AfcDefaultUser" : "",. "AfcPrivacySettings" : {. "ActivityFeed" : 0,. "CloudSync" : 0,. "PublishUserActivity" : 0,. "UploadUserActivity" : 1. },. "AfsConnectivityEnabled" : true,. "AfsPostInitializeSyncWaitMs" : 10000,. "AfsSyncFrequencyMs" : 86400000,. "Authentication.Environment" : 0,. "BluetoothTransportEnabled" : true,. "BluetoothTransportHostingAllowed" : true,. "CcsApiVersion" : "/api/v1",. "CcsDefaultServerName" : "romeccs.microsoft.com",. "CcsPollingEnabled" : false,. "CcsPollingInterval" : 0,. "CcsSeenRequestIds" : [],. "CcsSeenRequestIdsLastUpdatedTime" : "0000-00-00T00:00:00.000",. "Cloud.SessionIdleTimeoutIntervalSecs" : 3600,. "CloudDataGroupPolicyActivitiyPolicies" : [],. "CloudDataMDMActivitiyPolicies" : [],. "CloudTransportEnabled" : true,. "CloudTransportHostingAllowed" : true,. "CustomAuthClsid" : "",.

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\L.alfredo.cdp

    Download File
    Process:C:\Windows\System32\svchost.exe
    File Type:Unicode text, UTF-8 (with BOM) text
    Category:modified
    Size (bytes):945
    Entropy (8bit):4.864256882643635
    Encrypted:false
    SSDEEP:
    MD5:BA4014262FE235FE82103CD5C82C9FD9
    SHA1:812D522E56CE2C7C42F1DB8CB5B21FA0EA3570B1
    SHA-256:35BE8F5B98D6A1FCFF716D52600651C2A429A67CC7142F634F24345A2B40297B
    SHA-512:A81C87DFA180D27424683E76251ED965555C174C46E0DDD02066C3B6937B68BA85D0ED61F9A87AF886ADA3CD597C863D703A7B374904F8ED7D26B499B290625D
    Malicious:false
    Reputation:low
    Preview:.{. "AfcDatabaseSettings" : {. "DatabaseInstanceId" : 0,. "LastUpdated" : "2022-11-02T18:39:17.872". },. "AfsActivityTypes" : [],. "AfsChannelUri" : "",. "AfsEnvironment" : "",. "AfsSubscriptionId" : "",. "AfsSubscriptionUpdateTime" : "0000-00-00T00:00:00.000",. "BaseRegisteredInfoHash" : "",. "CNCNotificationUri" : "",. "CNCNotificationUriExpirationTime" : "0000-00-00T00:00:00.000",. "CNCNotificationUriLastSynced" : "0000-00-00T00:00:00.000",. "DdsRegistrationExpiryTickCount" : 2097124012256,. "Devices" : [],. "FormatVersion" : 12,. "LastRegisteredNotificationUri" : "",. "LastRegisteredNotificationUriExpirationTime" : "0000-00-00T00:00:00.000",. "LastSyncedTime" : "0000-00-00T00:00:00.000",. "LogicalDeviceId" : "",. "NextDataEncryptionKeyRolloverTime" : "0000-00-00T00:00:00.000",. "RegisteredInfoHash" : "",. "RegisteredWithStrongAuth" : false,. "StableUserId" : "L.alfredo".}.

    C:\Windows\SysWOW64\NpcapHelper.exe

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):129488
    Entropy (8bit):6.618726944893994
    Encrypted:false
    SSDEEP:
    MD5:C7D5ADE66D275D67A9D272B32D6E071E
    SHA1:BEC9D22E1E54FB2C7F28C021B54B1AB02C18FD6E
    SHA-256:6496D33D3BD318B85A8A18423816D51B052196903B1409078FFD76E4597D4056
    SHA-512:0981AE428A3C543D67C4AB75AE7632C6994CF60F780013E0CC37225F0FC3984B823E1D782247E6502814AC8652C60BBE2A86971E775598BB862895BBD511F369
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Virustotal, Detection: 0%, Browse
    • Antivirus: Metadefender, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j)...H.H.H.H.H.H.:.I$H.H.:.I.H.H.:.I:H.H|=.I.H.H|=.I?H.H|=.I<H.H.:.I+H.H.H.HqH.H.=.I/H.H.=CH/H.H.H+H/H.H.=.I/H.HRich.H.H........................PE..L...`..b.................8..........p........P....@..................................*....@.................................D...<.......0................+..............p...............................@............P..T............................text....6.......8.................. ..`.rdata...l...P...n...<..............@..@.data...L...........................@....rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\Npcap\WlanHelper.exe

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32 executable (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):215504
    Entropy (8bit):6.575720254279062
    Encrypted:false
    SSDEEP:
    MD5:6F7781328F418C833234E825DD141FE0
    SHA1:2F5FAF1B16BAC1E60C61B732B94C8BC0816C3915
    SHA-256:59EE12726A69F451E7F59325DDD8673A62B4FC87EFEDD0D555E3B2B710B3CC68
    SHA-512:C2738C8D081787359B18B56A879043CCD1A154D555164314AB71D824595FE938415EC5D1F876FCFB91E9723C2FD59D8320F65D74700228788A9618D05D45F7A7
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Virustotal, Detection: 0%, Browse
    • Antivirus: Metadefender, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............Z...Z...Zy..[...Zy..[...Zy..[...Z...[...Z...[...Z...[...Zy..[...Z...Z...Zh..[...Zh.$Z...Z..LZ...Zh..[...ZRich...Z................PE..L...h..b.................F..........pp.......`....@..........................`............@.................................P...P....0..(................+...@..........p...............................@............`..h............................text....E.......F.................. ..`.rdata..t....`.......J..............@..@.data...$...........................@....rsrc...(....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\Packet.dll

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):173520
    Entropy (8bit):6.690838131467423
    Encrypted:false
    SSDEEP:
    MD5:042541821792AA942E3F18F3A6A3276D
    SHA1:2EC33792EE5B8A6291D1EE18AB8EE6E9CDE4556C
    SHA-256:AF69D5651A01FE1E17199378ABF1C71C83B6AA6F2B99F00FA96A37EBA2743A10
    SHA-512:449C7E183E2B4F3C5ADF866C3162E79F0823D535B935C28572AEC2FBC232F76F3C52CE68E307F4657E48F88685BE633671376BDBBC070E0F4B6BD96B77556E99
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Virustotal, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.......................................J..9...J......J..................b........................................Rich............PE..L......b...........!.................Y..............................................^u....@A........................ P.......T..........h............z...+...........A..p...........................`B..@............................................text............................... ..`.rdata..B...........................@..@.data...(....`.......R..............@....rsrc...h............\..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................

    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Download File
    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    File Type:data
    Category:dropped
    Size (bytes):2524
    Entropy (8bit):5.292184441660355
    Encrypted:false
    SSDEEP:
    MD5:63885B33157905A91B28AD38925BE8AE
    SHA1:95205A9922C3E9E7171A44CCBBFD062BBD7461D0
    SHA-256:6B06EA79F8159000E8CC54A4E04185878F023432CE6C6E8AAB19E0C25E774BF3
    SHA-512:875F7E1FA562FAC4CFBBFE4A9C72B62BF41F054227100CAE72FEC8BE65EAF3673976E22FA272DC3077D545B9B61EC7A958282F63B037E2F8189A003B590D4498
    Malicious:false
    Reputation:low
    Preview:@...e...........e...................%...!............@..........P..................]...C....)...j.....(.Microsoft.PowerShell.Commands.ManagementH..................#..A..g&.E$v...... .Microsoft.PowerShell.ConsoleHost0...............e.+.<..K..!..K.#........System..4................q.e...B..SP9?.........System.Core.D................0.9...K.r.*6...........System.Management.AutomationL...............TKZ....M..{.0...m.....#.Microsoft.Management.Infrastructure.<................/....KA..%*.}2.........System.Management...@...............l._>.CnI.ATB............System.DirectoryServices4...............-..%3..A.s.o.4+.........System.Xml..8.................`..ERC..B9%%.=........System.Numerics.4...............]v.P3..G..............System.Data.<.................w..WD... . ..........System.ConfigurationH..................!"EA.._>^...........Microsoft.PowerShell.Security...<...............d@..dhD...<.;4!........System.Transactions.T..................z[|.I...e-._......*.Microsoft.Management.Inf

    C:\Windows\SysWOW64\wpcap.dll

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):418256
    Entropy (8bit):6.731999797354145
    Encrypted:false
    SSDEEP:
    MD5:F87682059C749EF2960F1C9B962A7F00
    SHA1:9C2CBBA19CD20687CFA68B9B098974E1A18AACA7
    SHA-256:1710A612C5BCA7FB949B909EA2A9C006CDE23146663EA1CE8A55A18C9A1D99A1
    SHA-512:0C7C673D52EE74C4D74D4B6BA4B31DD45DA33BD81CFE112B069324D7E3D81A5F71C4603F44EFD8DA99328FF397DB2B121C0F8F1F9FD74A215DD38816B253B58B
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Metadefender, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+3..J].J].J].l8^.J].l8X..J].l8Y.J]..?X.J]..?Y.J]..?^.J].l8\.J].}?\.J].J\.)J].}?Y.J].}?].J].}?..J].J..J].}?_.J].Rich.J].................PE..L......b...........!.................Y....... .......................................6....@A........................@...H.......P....................6...+.......0......T...........................@...@............ ..4............................text............................... ..`.rdata..F.... ......................@..@.data... ...........................@....rsrc...............................@..@.reloc...0.......2..................@..B................................................................................................................................................................................................................................................................................

    C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_3d7c63acf8bb3de2\c_netservice.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0xe18 "Signature", at 0x68 WinDirPath, at 0x80 language en-US
    Category:dropped
    Size (bytes):4612
    Entropy (8bit):2.8988604651174685
    Encrypted:false
    SSDEEP:
    MD5:201017A776E705DE9ED82B1EFD8DEDE4
    SHA1:A8AA701D0B0A597F2B5961828C79DAD7F899BA4B
    SHA-256:1C98E4A46A12650EA834B62937457D63AA5EA3FAD4754949B005EC12CBECDB53
    SHA-512:07076C5B0952776EBD634CF13FB197491F0454B0A9E2B6A483FDA2252AA70316C2B75970778C9181431BDD6FFED8619480C3D38A0BDA226BA00CFA4E5535E83D
    Malicious:false
    Reputation:low
    Preview:.........................BOR........................ ...d...........@....... ...h.......................C.:.\.W.i.n.d.o.w.s.....e.n.-.U.S.......,...............................x...................................................................................................................................................................h................................... ...............,...................................4...............................................\...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_7007250b95fe7c72\ndiscap.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1130 "Signature", at 0x68 WinDirPath, at 0x80 language en-US
    Category:dropped
    Size (bytes):5868
    Entropy (8bit):3.1981370184211935
    Encrypted:false
    SSDEEP:
    MD5:A2D47A12B4F8E6CE1D3125E36F21551B
    SHA1:44C0C387EF5B104FD839277E45736766D5A61FBD
    SHA-256:06BA9A5903829B6D63E0D997F652CB09EF2442609F6114924B6FC0C5A45AB0AC
    SHA-512:AEE9FDCBA226CDE236AA2D16606529B12E10EC4926B19E86088DBBF9D302FF274C3088BCDF8CC72B6135FB8A2591307A26AFB4F370D578FB5FC655F7F35E5DFD
    Malicious:false
    Reputation:low
    Preview:....................0....n.Q........................8........... .......|...h...h.......................C.:.\.W.i.n.d.o.w.s.....e.n.-.U.S.......h...........<.......................................................................................4...................................................................................................\...............................................D...d.......................H.......................................................t...................................................................................................................................................................................................................................................................................................................................................................................................................................................................H.......................................................................

    C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_4d4c04576720f0b7\netbrdg.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1058 "Signature", at 0x68 WinDirPath
    Category:dropped
    Size (bytes):5500
    Entropy (8bit):3.108789774092285
    Encrypted:false
    SSDEEP:
    MD5:242752151DF8E9FFBD16AE5817B022E2
    SHA1:97789C530A3F37C23F4E5E31FC386E3DA3267CEC
    SHA-256:7295BE10BA430FECD25F28C29614D5870F6E100D3A892A506CB9DE8F59C84C8F
    SHA-512:F50396E9BCB785E8E26D8CE6CC1DF856BF706B1B8160523687DE7ED6537A463A5EE51458E9A4555409B4B1AF77582769D9E29C5835EE7625D0405E3231CA36DE
    Malicious:false
    Reputation:low
    Preview:....................X...O]KQ........................`...x...............P...(...h...............x.......C.:.\.W.i.n.d.o.w.s.....@...............................x...............................................................................................................................................|...............................................................|.......,...L....................... .......................................................\.......................................................................................................................\.......................................................................................................................................................................................................................................................................................................\...........................................................................................................................

    C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_2074b6c6bca0a490\netnb.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0xf50 "Signature", at 0x68 WinDirPath, at 0x80 language en-US
    Category:dropped
    Size (bytes):5308
    Entropy (8bit):3.0566124857979258
    Encrypted:false
    SSDEEP:
    MD5:448DF3F78CCBE244FC77E91DE3D5116F
    SHA1:6DBDE8BD14C695BB3E6AA493FF385676A70447C6
    SHA-256:2357027F3C9F875F6B49BF53A85593829A4A40E77DB3A5ED71D8F437A2C67BC4
    SHA-512:BC9A4DD83481E22CF58FE3BBA5D25E23D18302C7A3F39270F41567E6840E4B5DF29D69167911814C37D02184937EF0905D5CDE1F8CA4C54EFB65C569FA0C61AC
    Malicious:false
    Reputation:low
    Preview:....................P......T....:.].................X.......8.......8...@...x...h.......................C.:.\.W.i.n.d.o.w.s.....e.n.-.U.S...........................................................................................................(...........................................................................................................................................|.......8...L.......................P.......................................................h...................................................................................................`...................................................................................................................................................................................................................................................................................................................................................................................................h...................................

    C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_154f622255fe72cc\netnwifi.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1160 "Signature", at 0x68 WinDirPath, at 0x80 language en-US
    Category:dropped
    Size (bytes):6148
    Entropy (8bit):3.2301306803609795
    Encrypted:false
    SSDEEP:
    MD5:78E2680799E759C92FCCD798A638E513
    SHA1:6D7D43C504C10DF28C520A8942F9CF494672A056
    SHA-256:EC4FE747C197463D48A2A57F709E6D3BDF11DF3857E77A3167C594AB1C367AA3
    SHA-512:8A76289BC864EA347AB0E1372A2D7414046CB510E8DB7694DE249C598C547E3D6A6AA47B0ED4D44618202D629122AD61756A53BD915FA587E2CEF16C657A53DA
    Malicious:false
    Reputation:low
    Preview:....................`....Q....q7..................h.......H...D...........H...h.......................C.:.\.W.i.n.d.o.w.s.....e.n.-.U.S.......................H...................................................................................H...............................................,...............................|...........................................................T.......X...$...........................................................p...............................................................................................................X.......d...........................................................................................................................................<...........................................................................................................................................................................................................................................................................................

    C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_90bc2f0046730c99\netpacer.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1528 "Signature", at 0x68 WinDirPath, at 0x80 language en-US
    Category:dropped
    Size (bytes):7484
    Entropy (8bit):3.433858668081926
    Encrypted:false
    SSDEEP:
    MD5:925C64755AC20957EC0C2D6F06A3D0A0
    SHA1:7242F6A2A71614903B5E20B7490F6595241A798F
    SHA-256:5F6DBE13A5FE4A408EE72B4D811F6A424A815058DFD6D34201DB17117EEF4C18
    SHA-512:41EEE64173EBD85DF6CFAD7986C8037E8ADFD2357CAE939F28CA5AB3A49659B084FB2150D723E881F5875CF9EF9E496170ABFC6611C4F4DD0E56011B38EA8F77
    Malicious:false
    Reputation:low
    Preview:....................(......T......i.................0...,...`............... ...h...............8.......C.:.\.W.i.n.d.o.w.s.....e.n.-.U.S.......................................................................$...................................(...............................................................................t........................................................... .......8.......................................................`.......X...................h...........................................................................................................................................................@...h...........................................................................................................l...............................................8...............................`.......................................................................................................P.......................................................................

    C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_822e224c451e0866\netrass.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x15a0 "Signature", at 0x68 WinDirPath, at 0x80 language en-US
    Category:dropped
    Size (bytes):8012
    Entropy (8bit):3.360121337675681
    Encrypted:false
    SSDEEP:
    MD5:B0A5DCB0DBC23D4C334A4D6CB64DBBC8
    SHA1:2AF1E3F1734D1D394A44735FCEBC42A59146365B
    SHA-256:41F130A0BB6CCA6B9A0380C62797A0C38D896C9EC0F7FD9DCBC4E1B6C093053B
    SHA-512:3817B6A9559DEC5F1BE73F00E7EAA4504618D3AE24A8185180C8BA033A30ACE529C31FDA7E9F0FCB6500AF2FF21CB23D2C9D4D054288FA2C5D1BC37D675EC72F
    Malicious:false
    Reputation:low
    Preview:........................t.WS.....I..............................................h...............H.......C.:.\.W.i.n.d.o.w.s.....e.n.-.U.S.......P...................................p.......................h.......................................,...........................................................................................p...............................................x.......<...H...........................................................................l...l...........................................................................................0...................................................................................@.......................x.......................t...........................................................................................................................................................................................................................................................................................................

    C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_66e3c059e1fb7e21\netserv.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0xfe8 "Signature", at 0x68 WinDirPath, at 0x80 language en-US
    Category:dropped
    Size (bytes):5348
    Entropy (8bit):3.0777589117673045
    Encrypted:false
    SSDEEP:
    MD5:684758FD1D24D310DFFA0FCB6A8BAF7E
    SHA1:72F5B84FC270EB02C3192EA0291991184F7B6D17
    SHA-256:3731A1C7702D8BA35DEFB481ACCBC7E6CFDD8B8192C61E668E422A02312CBFC2
    SHA-512:CC05E4E06ECF2573F808C6D538C7CF99610201101C3DE028C210D4549D75A01BF6C06BDA6B4F71A0C7721236E76B0A5EB6568009840F544DB757BEC3C3377B7E
    Malicious:false
    Reputation:low
    Preview:...........................S....p@..........X.......................p...4.......h.......................C.:.\.W.i.n.d.o.w.s.....e.n.-.U.S...............................................................................D...........................d...........................................................................................T...............................x.......................t...................................................................................................................4...........................................4...............d.......4................................................................................... ...................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_98044d7e2e228ac8\netvwififlt.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1158 "Signature", at 0x68 WinDirPath, at 0x80 language en-US
    Category:dropped
    Size (bytes):6212
    Entropy (8bit):3.2093610703563717
    Encrypted:false
    SSDEEP:
    MD5:7D48FE9AC2413FC92A8795ACFDA9B83D
    SHA1:A9DD802CDA23D7B391474E217CA35F9B091D6776
    SHA-256:BA3B4291B2353C579B644DD03360B05D8A11F60148E644DE69EF7314EDC3ECA4
    SHA-512:ACA210AE6401FD70C48D06F7B9F779E442D7103C22E083B39CDC6580C770672A60BF53330348E35EB9F043E8D3930C3702A133004014A3F83D36E653C44386A8
    Malicious:false
    Reputation:low
    Preview:....................X...J.Q....q7..................`.......@...\...........p...h...............@.......C.:.\.W.i.n.d.o.w.s.....e.n.-.U.S.......................p...........$...................................................................................................................................................................................................................4...................................`...................................l...................................................\.......................................................................................................................................................l...........................................................................................................................................................................................................................................................................d.......................................................................

    C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b5b1a6e95c9e3ae5\npcap.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x2018 "Signature", at 0x68 WinDirPath
    Category:dropped
    Size (bytes):12276
    Entropy (8bit):3.6567834853774945
    Encrypted:false
    SSDEEP:
    MD5:50B2A3BEE755A8F013BC598BD65FD555
    SHA1:024EA021E61EF0CE1FA3D69D7EA6DECB569A6696
    SHA-256:04E7026F9850B5A0E935B6B9F06CBE9928589D26758FE5DD90B2A73C714C0722
    SHA-512:E824D89862DE9646524B13ECCB0DF4C55D86184639FD95846A4477331BF34B3FFA1B5A807472CA75C03934B14EE0FC11D62A5BEEC4FFF431D42F1B00D2A90B48
    Malicious:false
    Reputation:low
    Preview:................P.... ...!'#........................h!.......#.......&......H+..h................/......C.:.\.W.i.n.d.o.w.s.....h...........................................................................\.......P...........................................P...4...................0...........................t...........................................|.......0...T...........................................................................X...........p.......................................p.......X...............................................................................L...............................................................l...............................................H.......0.......................................................0...................................................0.......................................................<...h...........................................$...................................................................4...|...............

    C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1338 "Signature", at 0x68 WinDirPath, at 0x80 language en-US
    Category:dropped
    Size (bytes):6532
    Entropy (8bit):3.3067069280717245
    Encrypted:false
    SSDEEP:
    MD5:47E8459E5E42F0B822CBE3CB26D9A0D1
    SHA1:586AE7AF16B0534A31501566A4B65530B209B021
    SHA-256:C085868E6AC5AC446BA8A01075AB175F0062606B2192D1867AE2289A06076F03
    SHA-512:BC3DD3596CD14D5355C1BB97653B130FA57EF06F476980B69EE6E15527A771E98C97F472629D473B8EB62D039AA02FD04908A74177E8DB2B992B807E7D81896B
    Malicious:false
    Reputation:low
    Preview:....................8....3.Q........................@....... ...P...p...........h.......................C.:.\.W.i.n.d.o.w.s.....e.n.-.U.S.......p........................................................................................................................................................................................................... ...............................................T...................................p...........................................................................t...................................................................................................0...................................................|...................................................d...........................................................\...............................................................................................................................................................................................................................d...

    C:\Windows\System32\DriverStore\Temp\{eb0958b0-7f86-6349-b0db-2cc0cde251fe}\NPCAP.inf (copy)

    Download File
    Process:C:\Windows\System32\drvinst.exe
    File Type:Windows setup INFormation
    Category:dropped
    Size (bytes):8844
    Entropy (8bit):5.255097118866815
    Encrypted:false
    SSDEEP:
    MD5:FF536154CF4932322CA818EDA6712E49
    SHA1:873BB1D640CDC9C41596F46FBC37B48A5D6B03CD
    SHA-256:4C1B4785D35A4828B98B7ACACF8B18B0A4E4D0C9DA683CD9294F6A6AE6CF7BF2
    SHA-512:164D9C7ECA15FA83AA2645FD4EEFBF2A562B49615978B72F6C9C1B072CBDD1BFFDC3295D95B69D2CF26DBA67F25D6FE82DDBFA6DECDA07FA855BFA3C2311D7B4
    Malicious:false
    Reputation:low
    Preview:;-------------------------------------------------------------------------..; NPCAP.INF -- Npcap NDIS 6.x LightWeight Filter Driver..;..; Copyright (c) 2022, Insecure.Com LLC. All rights reserved...;------------------------------------------------------------------------..[version]..Signature = "$Windows NT$"..Class = NetService..ClassGUID = {4D36E974-E325-11CE-BFC1-08002BE10318}..CatalogFile = %NPF_DriverName%.cat..Provider = %Insecure%..DriverVer = 08/19/2022,14.4.9.854..PnpLockDown=1......[Manufacturer]..%Insecure%=Insecure,NTx86,NTARM64,NTamd64....[Insecure.NTx86]..%NPF_Desc_Standard%=FilterStandard, INSECURE_NPCAP..%NPF_Desc_WiFi%=FilterWiFi, INSECURE_NPCAP_WIFI....[Insecure.NTARM64]..%NPF_Desc_Standard%=FilterStandard, INSECURE_NPCAP..%NPF_Desc_WiFi%=FilterWiFi, INSECURE_NPCAP_WIFI....[Insecure.NTamd64]..%NPF_Desc_Standard%=FilterStandard, INSECURE_NPCAP..%NPF_Desc_WiFi%=FilterWiFi, INSECURE_NPCAP_WIFI....;----------------------------------------

    C:\Windows\System32\DriverStore\Temp\{eb0958b0-7f86-6349-b0db-2cc0cde251fe}\SETED79.tmp

    Download File
    Process:C:\Windows\System32\drvinst.exe
    File Type:data
    Category:dropped
    Size (bytes):12707
    Entropy (8bit):7.252027400813497
    Encrypted:false
    SSDEEP:
    MD5:BE2A59B225DACE6A52B98F17678786C0
    SHA1:ABEC30EA6B668F9CCFF77209D54B971CE6A22711
    SHA-256:43D10D470320041E663A82439D79CFAC78DE99ADDD98E02C4D60171710D032B2
    SHA-512:9A9ACFE84F822B7F20148725A4ABAA51118759F5688D4A3841C4A9E73B59801128ADF4DF54A14078408FB14AD0ACEA068A2BDD1CF0F9FFC6C44E6E38721F79D6
    Malicious:false
    Reputation:low
    Preview:0.1...*.H........1.0.1....1.0...`.H.e......0.....+.....7......0...0...+.....7.....d.<M..yC.u..,.x...220819193556Z0...+.....7.....0...0.... !Hy]..]1...H^.....S=u....5...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........n.p.c.a.p...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... !Hy]..]1...H^.....S=u....5...0... L.G..ZH(..z.........h<.)Ojj..{.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........n.p.c.a.p...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... L.G..ZH(..z.........h<.)Ojj..{.0....PI.8d.yS....,q^..-.41..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........n.p.c.a.p...s.y.s...0.....;..@......o.7..]k..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........n.p.c.a.p...i.n.f...0.... .;...x..'._'......*n./...F.]0

    C:\Windows\System32\DriverStore\Temp\{eb0958b0-7f86-6349-b0db-2cc0cde251fe}\SETEDD7.tmp

    Download File
    Process:C:\Windows\System32\drvinst.exe
    File Type:Windows setup INFormation
    Category:dropped
    Size (bytes):8844
    Entropy (8bit):5.255097118866815
    Encrypted:false
    SSDEEP:
    MD5:FF536154CF4932322CA818EDA6712E49
    SHA1:873BB1D640CDC9C41596F46FBC37B48A5D6B03CD
    SHA-256:4C1B4785D35A4828B98B7ACACF8B18B0A4E4D0C9DA683CD9294F6A6AE6CF7BF2
    SHA-512:164D9C7ECA15FA83AA2645FD4EEFBF2A562B49615978B72F6C9C1B072CBDD1BFFDC3295D95B69D2CF26DBA67F25D6FE82DDBFA6DECDA07FA855BFA3C2311D7B4
    Malicious:false
    Reputation:low
    Preview:;-------------------------------------------------------------------------..; NPCAP.INF -- Npcap NDIS 6.x LightWeight Filter Driver..;..; Copyright (c) 2022, Insecure.Com LLC. All rights reserved...;------------------------------------------------------------------------..[version]..Signature = "$Windows NT$"..Class = NetService..ClassGUID = {4D36E974-E325-11CE-BFC1-08002BE10318}..CatalogFile = %NPF_DriverName%.cat..Provider = %Insecure%..DriverVer = 08/19/2022,14.4.9.854..PnpLockDown=1......[Manufacturer]..%Insecure%=Insecure,NTx86,NTARM64,NTamd64....[Insecure.NTx86]..%NPF_Desc_Standard%=FilterStandard, INSECURE_NPCAP..%NPF_Desc_WiFi%=FilterWiFi, INSECURE_NPCAP_WIFI....[Insecure.NTARM64]..%NPF_Desc_Standard%=FilterStandard, INSECURE_NPCAP..%NPF_Desc_WiFi%=FilterWiFi, INSECURE_NPCAP_WIFI....[Insecure.NTamd64]..%NPF_Desc_Standard%=FilterStandard, INSECURE_NPCAP..%NPF_Desc_WiFi%=FilterWiFi, INSECURE_NPCAP_WIFI....;----------------------------------------

    C:\Windows\System32\DriverStore\Temp\{eb0958b0-7f86-6349-b0db-2cc0cde251fe}\npcap.cat (copy)

    Download File
    Process:C:\Windows\System32\drvinst.exe
    File Type:data
    Category:dropped
    Size (bytes):12707
    Entropy (8bit):7.252027400813497
    Encrypted:false
    SSDEEP:
    MD5:BE2A59B225DACE6A52B98F17678786C0
    SHA1:ABEC30EA6B668F9CCFF77209D54B971CE6A22711
    SHA-256:43D10D470320041E663A82439D79CFAC78DE99ADDD98E02C4D60171710D032B2
    SHA-512:9A9ACFE84F822B7F20148725A4ABAA51118759F5688D4A3841C4A9E73B59801128ADF4DF54A14078408FB14AD0ACEA068A2BDD1CF0F9FFC6C44E6E38721F79D6
    Malicious:false
    Reputation:low
    Preview:0.1...*.H........1.0.1....1.0...`.H.e......0.....+.....7......0...0...+.....7.....d.<M..yC.u..,.x...220819193556Z0...+.....7.....0...0.... !Hy]..]1...H^.....S=u....5...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........n.p.c.a.p...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... !Hy]..]1...H^.....S=u....5...0... L.G..ZH(..z.........h<.)Ojj..{.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........n.p.c.a.p...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... L.G..ZH(..z.........h<.)Ojj..{.0....PI.8d.yS....,q^..-.41..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........n.p.c.a.p...s.y.s...0.....;..@......o.7..]k..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........n.p.c.a.p...i.n.f...0.... .;...x..'._'......*n./...F.]0

    C:\Windows\System32\NpcapHelper.exe

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32+ executable (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):156624
    Entropy (8bit):6.354903147813271
    Encrypted:false
    SSDEEP:
    MD5:7629D56639D830A30EC1389E66D5B079
    SHA1:C2442B529D27CC90F92511E837D0A8C6E3229F2C
    SHA-256:AFDB72EB31BBAE6E25125A5F2657AB17E19C7F83293226409EC25B058BFF8CEC
    SHA-512:C0CF0717BCFC5C1B69E7A098FB3CBAED0104B494993C0B34543760A01D80FF15156E0CB679E1588F4DE24D0BCD2836C668DCB27B031B60A731BB11BBABA4664B
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Metadefender, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.g^................z...............u...-...X...-...o...-...v.......z...............~.......~......~.......~...Rich............PE..d......b.........."......X..........P..........@....................................o$....`.....................................................<....p..0....@.......8...+......x...t...p...............................8............p...............................text....X.......X.................. ..`.rdata..n....p.......\..............@..@.data........ ......................@....pdata.......@......................@..@_RDATA.......`.......&..............@..@.rsrc...0....p.......(..............@..@.reloc..x............0..............@..B........................................................................................................................................................................................................

    C:\Windows\System32\Npcap\WlanHelper.exe

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32+ executable (console) x86-64, for MS Windows
    Category:dropped
    Size (bytes):266704
    Entropy (8bit):6.377269358777441
    Encrypted:false
    SSDEEP:
    MD5:4B904779B9F46BA4097FA5E8E3F1A327
    SHA1:7AB3FFAC6E6F6834839AF3DCD2C1EDB6F3A7AEC2
    SHA-256:93B7EC7E5DD8FC7FEAB5CC1CD0F6DD915F50DD7787CA41283E1DD6EEAC897D36
    SHA-512:6A80E200764EECC784FE4C7721CE4717D54CECA2861A3AB26D7625FF12D16266AC40267EEAE65F93D8C2206941D785F132974DC118BF6BDD1D659CE89B87F776
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Metadefender, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._.....Z...........U.....N.....V.....s.....X.._..5.....]....+.^.._.C.^.....^..Rich_..........PE..d......b.........."..........D.................@.............................@............`.....................................................P.... ..(................+...0......D...p...............................8............................................text...X........................... ..`.rdata..V...........................@..@.data...............................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc...(.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................

    C:\Windows\System32\Packet.dll

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):219600
    Entropy (8bit):6.40551525797105
    Encrypted:false
    SSDEEP:
    MD5:2D4274E8E4A4F4954D0D3CAD0915AE47
    SHA1:A6454C96CDE07CA9AEA4F54A363CB1D5FBE5E487
    SHA-256:C386AADC7D433D32D89EC06D370A8481566C17CB38FB53BB85C2178DFB83C749
    SHA-512:F1FD1C057FC68E00658C8236A1A40431775EC457115A09510785320F76D8E3FD4C5D9F0657C555B25D42E7E5E14A13E504BB32360BA26DBCD55961343BE5F913
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j.(...F...F...F...E.+.F...C...F...B.$.F.|.C...F.|.B. .F.|.E.'.F...G.!.F...G...F..O.,.F..F./.F.../.F..../.F..D./.F.Rich..F.........PE..d......b.........." .....(...........d..............................................*.....`A.........................................................`..h....0..,........+...p......p...p...............................8............@...............................text...G'.......(.................. ..`.rdata..N....@.......,..............@..@.data...............................@....pdata..,....0......................@..@_RDATA.......P......................@..@.rsrc...h....`....... ..............@..@.reloc.......p.......&..............@..B................................................................................................................................................................................................

    C:\Windows\System32\catroot2\dberr.txt

    Download File
    Process:C:\Windows\System32\drvinst.exe
    File Type:ASCII text, with CRLF line terminators
    Category:modified
    Size (bytes):184079
    Entropy (8bit):5.362061162777031
    Encrypted:false
    SSDEEP:
    MD5:F21E735B481F46C01286E379CF57FFB8
    SHA1:B26DE20B55B8EE09573231A29376A9D5DE1FD88D
    SHA-256:C7EBA2CE234D06702FFE121669F230EF93F697AE512101A45E545025BDE9B1BD
    SHA-512:6791088A9CD123C26CD2BD830C7AC2C8D231CC6E8F69787578ECF5993E79F9B2AD689C4C5151240F690B8C00A6C5B58B345879668399BF035118EBFF392A0F7D
    Malicious:false
    Reputation:low
    Preview:CatalogDB: 7:15:57 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-ApplicationGuard-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-ApplicationGuard-Shared-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-ApplicationGuard-Shared-windows-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: SyncDB:: DeleteCatalog: Containers-Client-Manager-onecore-Package~31bf3856ad364e35~amd64~~10.0.18362.1.cat..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #1470 encountered error 0x0000012f..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #2046 encountered error 0x0000012f..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #2359 encountered error 0x0000012f..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #1245 encountered JET error -1601..CatalogDB: 7:15:59 AM 5/27/2021: catdbsvc.cpp at line #1245 encounter

    C:\Windows\System32\config\systemprofile\AppData\Local\.rumble\cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd.agentid

    Download File
    Process:C:\Program Files\Rumble\rumble-agent-cfe8ad04-ca5c-4a63-9aa0-4794d7bd19dd-8a181a04d2bd7740-3.2.8.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):32
    Entropy (8bit):3.702819531114783
    Encrypted:false
    SSDEEP:
    MD5:FF0C3835C46A4D9D881FD6B942B41942
    SHA1:06D487C7005AA643A424684C212A1A7ED0A8A25E
    SHA-256:72ED30D07581A6782AAB20585C396BF0A49CE323C6B172D883FDAFBD50C2503E
    SHA-512:DC61E957F38F48501349D54BAA2DE72F2FC7976C36D27B672B272575D13A6747A0E62300B8C9FCDDB2C9CC831CF76E5A618C39FEF6434D946912A8B07D922B9C
    Malicious:false
    Reputation:low
    Preview:133cb55ba389f57ce2261e15224d666f

    C:\Windows\System32\drivers\SETB038.tmp

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:PE32+ executable (native) x86-64, for MS Windows
    Category:dropped
    Size (bytes):77336
    Entropy (8bit):6.7068091635126
    Encrypted:false
    SSDEEP:
    MD5:08A2DEF8EFC2619DDABE13A041703AEA
    SHA1:F9FD929C77D5A47766623ABAA7490BCD98B3AD97
    SHA-256:A2039B552DFACD4EDC2B8ED42BBE32CB0A481240FCE18F78AEB1A68DBB747D39
    SHA-512:0AFB5D2DD6747B37162494F4F90387160C5B90C58A71703D2DDD07256E848EE1F3E4237B660D511262255E54038AB11699808526A3574450C9407EB1E830DFAC
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........)o..G<..G<..G<..F=..G<..F<M.G<..A=..G<..D=..G<..C=..G<..O=..G<...<..G<..E=..G<Rich..G<........PE..d......b.........."..........&.................@.............................0............`A................................................d...d...............|........T... ..<...p...8...............................8............... ............................text...6s.......t.................. ..h.rdata..|............x..............@..H.data...`...........................@....pdata..|...........................@..HPAGE................................ ..`INIT....P........................... ..b.rsrc...............................@..B.reloc..<.... ......................@..B................................................................................................................................................................................................

    C:\Windows\System32\wpcap.dll

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
    Category:dropped
    Size (bytes):489424
    Entropy (8bit):6.471008916134363
    Encrypted:false
    SSDEEP:
    MD5:D18D831553573C0BB4F6D9774EA0EB98
    SHA1:F9F55503F4BAA7E50AFE26381BD4407F6891D08E
    SHA-256:B6FE42548C81B1403178D67320CF32FFB9E2FCEA9D610C584CEFCDBC1DBDD9E4
    SHA-512:7D4B6175419895DB7AED9745266475D23A4430218A7BCBB12DE442672143DCC3C4531C63796E634E58ABC2DB0E4EDB600AEE0211AEDA6EE385A4C021849A4592
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Metadefender, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........[.I.5.I.5.I.5...6.L.5...0..5...1.B.5./..H.5...0.V.5...1.F.5...6.B.5...4.M.5...4.J.5.I.4..5...1.Q.5...5.H.5....H.5.I...H.5...7.H.5.RichI.5.................PE..d......b.........." .........&......................................................X....`A............................................H...8...P...............l6...L...+..............T...............................8............................................text............................... ..`.rdata...D.......F..................@..@.data...t...........................@....pdata..l6.......8..................@..@_RDATA...............8..............@..@.rsrc................:..............@..@.reloc...............@..............@..B........................................................................................................................................................................

    C:\Windows\Temp\__PSScriptPolicyTest_hofbli33.wt4.ps1

    Download File
    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):60
    Entropy (8bit):4.038920595031593
    Encrypted:false
    SSDEEP:
    MD5:D17FE0A3F47BE24A6453E9EF58C94641
    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
    Malicious:false
    Reputation:low
    Preview:# PowerShell test file to determine AppLocker lockdown mode

    C:\Windows\Temp\nsoAF77.tmp

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:data
    Category:dropped
    Size (bytes):4590601
    Entropy (8bit):6.5741978045299785
    Encrypted:false
    SSDEEP:
    MD5:8E04E4063C6089EA788F56C024B21C37
    SHA1:7A9E943C7545D9A5F6296A2FBA9BB1BC599CF060
    SHA-256:417BF846E5C2BD04199146498D4176DAF48A35640EC5FD82208827A96FD946D6
    SHA-512:A7B325F12899971F95B92397DF097442FE7D99C172D19923A88B258281EC8DCAF471E7F53698C141486F954932F1CB27E9A4EA7124822603C50323C27D5DFEF4
    Malicious:false
    Reputation:low
    Preview:V.......,.......l...............<...........................................................................................0................................................................................................................................................................................U..f.......................G.......................I.......................8.......................................................j.......................G........................................................................................................................................................................A..........y...........................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Temp\nsoAF78.tmp\InstallOptions.dll

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):23248
    Entropy (8bit):6.298019852585357
    Encrypted:false
    SSDEEP:
    MD5:170C17AC80215D0A377B42557252AE10
    SHA1:4CBAB6CC189D02170DD3BA7C25AA492031679411
    SHA-256:61EA114D9D0CD1E884535095AA3527A6C28DF55A4ECEE733C8C398F50B84CC3D
    SHA-512:0FD65CAD0FCAA98083C2021DE3D6429E79978658809C62AE9E4ED630C016915CED36AA52F2F692986C3B600C92325E79FD6D757634E8E02D5E582FF03679163F
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Metadefender, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.px.q.+.q.+.q.+.q.+[q.+.~C+.q.+^R.+.q.+^R/+.q.+.w.+.q.+.Q.+.q.+Rich.q.+........PE..L......`...........!.........`.......+.......0......................................&2....@..........................8......X1.......................>..........X....................................................0..X............................text............................... ..`.rdata..G....0......."..............@..@.data...DL...@.......,..............@....rsrc................6..............@..@.reloc..x............8..............@..B........................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Temp\nsoAF78.tmp\NPFInstall.exe

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32+ executable (console) x86-64, for MS Windows
    Category:dropped
    Size (bytes):308176
    Entropy (8bit):6.267502406751556
    Encrypted:false
    SSDEEP:
    MD5:36F0E125CB870AC28CDFF861A684F844
    SHA1:2E2CDEFF8B14EF9146DDDB9A659BCC6532C72421
    SHA-256:0560D98683343995D5F2DD5F2607F7298BD81BE7746EFA0D212481FBFA76788E
    SHA-512:144E014E1047EC0BCF96821207BB4138873557A1FF47843F34EE1C33B6FF1D8365DE6177A14C5F8088D0A2087142B7A1F56BF7F7ABA67BDD83BBB88F3A36507B
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Metadefender, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!...OI..OI..OIG.LH..OIG.JH..OI.JH..OI.KH..OI.LH..OIG.KH..OIG.NH..OI..NI5.OIV.FH..OIV..I..OI...I..OIV.MH..OIRich..OI........PE..d......b..........".................P..........@....................................M.....`..................................................B..................( .......+..............p........................... ...8............................................text............................... ..`.rdata..fT.......V..................@..@.data...L....`.......H..............@....pdata..( ......."...T..............@..@_RDATA...............v..............@..@.rsrc................x..............@..@.reloc..............................@..B........................................................................................................................................................................................................

    C:\Windows\Temp\nsoAF78.tmp\System.dll

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):19664
    Entropy (8bit):6.608232189655304
    Encrypted:false
    SSDEEP:
    MD5:F020A8D9EDE1FB2AF3651AD6E0AC9CB1
    SHA1:341F9345D669432B2A51D107CBD101E8B82E37B1
    SHA-256:7EFE73A8D32ED1B01727AD4579E9EEC49C9309F2CB7BF03C8AFA80D70242D1C0
    SHA-512:408FA5A797D3FF4B917BB4107771687004BA507A33CB5944B1CC3155E0372CB3E04A147F73852B9134F138FF709AF3B0FB493CD8FA816C59E9F3D9B5649C68C4
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Metadefender, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p......):....@..........................B.......@..P....................0.......`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Temp\nsoAF78.tmp\final.ini

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF, LF line terminators
    Category:dropped
    Size (bytes):568
    Entropy (8bit):3.512000700664646
    Encrypted:false
    SSDEEP:
    MD5:CAE757421DB8D011E41266BFD9439885
    SHA1:7108A9F0740EE4E3A118F6AC9212E0446F074181
    SHA-256:FF350A68202AADB145F590C8579F9284D2E3C324B0369FDE39E5A3A31D7B8204
    SHA-512:785D19C796834065C823A7DA99036378BBA54B932EA1E47D4BA0C1D123A0A09EC307A3459FB862221DE74CE61D9A8D7EC73901C9DE007D31E7B39EB7A19B16B5
    Malicious:false
    Reputation:low
    Preview:..[.S.e.t.t.i.n.g.s.]...N.u.m.F.i.e.l.d.s.=.2...B.a.c.k.E.n.a.b.l.e.d.=.0...N.e.x.t.B.u.t.t.o.n.T.e.x.t.=.F.i.n.i.s.h...R.T.L.=.0.......[.F.i.e.l.d. .1.]...T.y.p.e.=.L.a.b.e.l...L.e.f.t.=.1.0...R.i.g.h.t.=.-.1...T.o.p.=.1.0...B.o.t.t.o.m.=.1.8...T.e.x.t.=.N.p.c.a.p. .h.a.s. .b.e.e.n. .i.n.s.t.a.l.l.e.d. .o.n. .y.o.u.r. .c.o.m.p.u.t.e.r.....S.t.a.t.e.=.0.....[.F.i.e.l.d. .2.]...T.y.p.e.=.L.a.b.e.l...L.e.f.t.=.1.0...R.i.g.h.t.=.-.1...T.o.p.=.3.0...B.o.t.t.o.m.=.3.8...T.e.x.t.=.C.l.i.c.k. .F.i.n.i.s.h. .t.o. .c.l.o.s.e. .t.h.i.s. .w.i.z.a.r.d.....S.t.a.t.e.=.0.....

    C:\Windows\Temp\nsoAF78.tmp\nsExec.dll

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):14544
    Entropy (8bit):6.626986011741245
    Encrypted:false
    SSDEEP:
    MD5:F9E61A25016DCB49867477C1E71A704E
    SHA1:C01DC1FA7475E4812D158D6C00533410C597B5D9
    SHA-256:274E53DC8C5DDC273A6F5683B71B882EF8917029E2EAF6C8DBEE0C62D999225D
    SHA-512:B4A6289EF9E761E29DD5362FECB1707C97D7CB3E160F4180036A96F2F904B2C64A075B5BF0FEA4A3BB94DEA97F3CFA0D057D3D6865C68DA65FDCB9C3070C33D8
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    • Antivirus: Metadefender, Detection: 0%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...5..`...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Temp\nsoAF78.tmp\options.ini

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF, LF line terminators
    Category:dropped
    Size (bytes):2356
    Entropy (8bit):3.641850273378014
    Encrypted:false
    SSDEEP:
    MD5:D5B270807BD5E8E117DB66010FD51AFA
    SHA1:4EF5F4835C4DB596CC641D2DE63187DE8EE5C6B3
    SHA-256:5A5E297948D13919E4432A5F7544DA14DE5ACCBE6D228F32162669148853EDF5
    SHA-512:EE06C81076891A0716CBA6F4696A6C7E8033322E6A3378A9E41CEF0F3BAA9483898DF7BD0058DA6FAF857660D1A5E36BA5CCB6F55E6648CA6450420EB595FCA6
    Malicious:false
    Reputation:low
    Preview:..[.S.e.t.t.i.n.g.s.]...N.u.m.F.i.e.l.d.s.=.7...R.T.L.=.0.......;.[.F.i.e.l.d. .A.]...;.T.y.p.e.=.C.h.e.c.k.B.o.x...;.L.e.f.t.=.1.0...;.R.i.g.h.t.=.-.1...;.T.o.p.=.2.0...;.B.o.t.t.o.m.=.2.8...;.T.e.x.t.=.A.u.t.o.m.a.t.i.c.a.l.l.y. .s.t.a.r.t. .t.h.e. .N.p.c.a.p. .d.r.i.v.e.r. .a.t. .b.o.o.t. .t.i.m.e...;.S.t.a.t.e.=.1...;...[.F.i.e.l.d. .1.]...T.y.p.e.=.L.a.b.e.l...L.e.f.t.=.1.0...R.i.g.h.t.=.-.1...T.o.p.=.2.0...B.o.t.t.o.m.=.2.8...T.e.x.t.=...S.t.a.t.e.=.1...;.F.l.a.g.s.=.N.O.T.I.F.Y.....;.[.F.i.e.l.d. .B.]...;.T.y.p.e.=.C.h.e.c.k.B.o.x...;.L.e.f.t.=.1.0...;.R.i.g.h.t.=.-.1...;.T.o.p.=.5.0...;.B.o.t.t.o.m.=.5.8...;.T.e.x.t.=.U.s.e. .D.L.T._.N.U.L.L. .a.s. .t.h.e. .l.o.o.p.b.a.c.k. .i.n.t.e.r.f.a.c.e.'. .l.i.n.k. .l.a.y.e.r. .p.r.o.t.o.c.o.l. .i.n.s.t.e.a.d. .o.f. .D.L.T._.E.N.1.0.M.B...;.S.t.a.t.e.=.0...;...[.F.i.e.l.d. .2.]...T.y.p.e.=.C.h.e.c.k.B.o.x...L.e.f.t.=.1.0...R.i.g.h.t.=.-.1...T.o.p.=.3.5...B.o.t.t.o.m.=.4.3...T.e.x.t.=.R.e.s.t.r.i.c.t. .N.p.c.a.p. .d.r.i.v.e.r.'.s. .a.c.c.

    C:\Windows\Temp\nsoAF78.tmp\roots.p7b

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:data
    Category:dropped
    Size (bytes):1971
    Entropy (8bit):7.4219702430600245
    Encrypted:false
    SSDEEP:
    MD5:397A5848D3696FC6BA0823088FEA83DB
    SHA1:9189985F027DE80D4882AB5E01604C59D6FC1F16
    SHA-256:AD3BCA6F2B0EC032C7F1FE1ADB186BD73BE6A332C868BF16C9765087FFF1C1CA
    SHA-512:66129A206990753967CD98C14A0A3E0E2A73BC4CD10CF84A5A05DA7BF20719376989D64C6C7880A3E4754FC74653DD49F2FFEFFD55FC4EE5966F65BEB857118C
    Malicious:false
    Reputation:low
    Preview:0.....*.H..........0......1.0...*.H..........0...0............\&j.@...y.F%w0...*.H........0l1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1+0)..U..."DigiCert High Assurance EV Root CA0...061110000000Z..311110000000Z0l1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1+0)..U..."DigiCert High Assurance EV Root CA0.."0...*.H.............0...........s....--2...?..%I.q*..4g...._i.@.......AY:...<.t8.J.M%..J.S.8..Imq.~c..._...ObQ.....8........(AU..Z..~q.5.Mr.=.:8P[w1....$E...m..Z.....Q..AA"Nea..AP.y\...JW...].S,~......hs.4..\.q.Z|U.^d.7.0V....)...y9....|'f...x....8..d.f]....%..].P. ..A.n.Q8.K.......c0a0...U...........0...U.......0....0...U.......>.i...G..&....cd+.0...U.#..0....>.i...G..&....cd+.0...*.H....................<.f..W!.!G.*g...2v@.W...z..e.5...E...L1K...C,..x...Syq..!...U..$d..f..7.4.i.#.x"+pC.UG1a..X./N0..1.#...e.3....=..^.1.`..-..\R......._...|6c8.D...&+..i.....W..v..U.Hi.*.[.D. 1...p&].`..K../...Ch..'..\..!.h..<.....\.c..G.%'g.7..

    C:\Windows\Temp\nsoAF78.tmp\signing.p7b

    Download File
    Process:C:\Windows\Temp\rumble-npcap-1721457150.exe
    File Type:data
    Category:modified
    Size (bytes):7347
    Entropy (8bit):7.197306585728131
    Encrypted:false
    SSDEEP:
    MD5:DD4BC901EF817319791337FB345932E8
    SHA1:F8A3454A09D90A09273935020C1418FDB7B7EB7C
    SHA-256:8E681692403C0F7C0B24160F4642DAA1EB080CE5EC754B6F47CC56B43E731B71
    SHA-512:0A67CC346F9752E1C868B7DC60B25704255AB1E6EA745850C069212F2724EBA62FFAAA48309D5EBA6AE0235223518610FB4B60FC422E4BABBA4F33D331C71DB5
    Malicious:false
    Reputation:low
    Preview:0.....*.H..........0......1.0...*.H..........0...0...........%c...~j..0u...0...*.H........0l1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1+0)..U..."DigiCert EV Code Signing CA (SHA2)0...200501000000Z..210507120000Z0..1.0...+.....7<.....US1.0...+.....7<.....California1.0...U....Private Organization1.0...U....2000103100131.0...U....US1.0...U....Washington1.0...U....Seattle1.0...U....Insecure.Com LLC1.0...U....Insecure.Com LLC0.."0...*.H.............0............4lP..*b....3.. .;8xZ.Z%.....-..K.........F&..=.m.Fj5....H..f.`....'Q.m.d...\JCTS|......Vj(..... #....D.At.LN."V.J..T..38...A.e...c...Y.fY.c.0..........>.&..m.y..k..W.B.".`.........p.).0.r...q...&...O.I...?..<S.......~W7#.....t-..v..(K.P.!..q.c.........0...0...U.#..0.....~.m2j..#.p.j:..k..0...U........ ..0..........0..05..U....0,.*..+.........0...US-CALIFORNIA-2000103100130...U...........0...U.%..0...+.......0{..U...t0r07.5.3.1http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07.5.3.1http://crl4.digicert

    C:\Windows\system32\DRIVERS\npcap.sys (copy)

    Download File
    Process:C:\Program Files\Npcap\NPFInstall.exe
    File Type:PE32+ executable (native) x86-64, for MS Windows
    Category:dropped
    Size (bytes):77336
    Entropy (8bit):6.7068091635126
    Encrypted:false
    SSDEEP:
    MD5:08A2DEF8EFC2619DDABE13A041703AEA
    SHA1:F9FD929C77D5A47766623ABAA7490BCD98B3AD97
    SHA-256:A2039B552DFACD4EDC2B8ED42BBE32CB0A481240FCE18F78AEB1A68DBB747D39
    SHA-512:0AFB5D2DD6747B37162494F4F90387160C5B90C58A71703D2DDD07256E848EE1F3E4237B660D511262255E54038AB11699808526A3574450C9407EB1E830DFAC
    Malicious:false
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........)o..G<..G<..G<..F=..G<..F<M.G<..A=..G<..D=..G<..C=..G<..O=..G<...<..G<..E=..G<Rich..G<........PE..d......b.........."..........&.................@.............................0............`A................................................d...d...............|........T... ..<...p...8...............................8............... ............................text...6s.......t.................. ..h.rdata..|............x..............@..H.data...`...........................@....pdata..|...........................@..HPAGE................................ ..`INIT....P........................... ..b.rsrc...............................@..B.reloc..<.... ......................@..B................................................................................................................................................................................................

    \Device\Null

    Download File
    Process:C:\Windows\System32\taskkill.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):55
    Entropy (8bit):4.373615677793376
    Encrypted:false
    SSDEEP:
    MD5:F9CAE9DB8D10396572AF11DD85B1B1D1
    SHA1:F15E2FA235F8D996F2B054565EEA9CB26675C2F5
    SHA-256:15F7A36B267DF7D7B2DBEAD10900A0E54446A14BB502F62A014AC57A5A869590
    SHA-512:BD3AA8890DB41BF56512F0EFD1C3AFACD4F33BC2FB2DE106BECE62D43B1F492B766AD7F6AD2C78253CFB8B29226C76401F4092C86CB8CE681915BE50A0C60BB6
    Malicious:false
    Reputation:low
    Preview:..INFO: No tasks running with the specified criteria...

    Static File Info

    General

    File type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
    Entropy (8bit):6.203520187548798
    TrID:
    • Win64 Executable (generic) (12005/4) 74.95%
    • Generic Win/DOS Executable (2004/3) 12.51%
    • DOS Executable Generic (2002/1) 12.50%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
    File name:runzero-explorer-3.2.8-windows-amd64.exe
    File size:79330800
    MD5:d0674fbefbacf4c3b9ca5d710753895d
    SHA1:73e7fc7e44dac934242996da65a880bf69a8a064
    SHA256:12ad8fd40637ec16d0bae840c3318d72c1b3d4d5cf835d06ebd56a15034e0181
    SHA512:17e700b3f4cceb3439f7e6eef76ae12103490f6da8feb5d0ff34235618fcd91e1e9a0c43b25da9352c305d7bf35bfb7586583d516069ab3cb3af4e90ece730e3
    SSDEEP:393216:qqTQBxGCmLbYCaJhTBWCzibmZjUHjWJQmEWxPkWxdHni2joO1Zj4:5oPCaJNPziyOH9mEWxPhiB+4
    TLSH:C0086C97E85591E0C5AEC174C6278652FB713C894B30A3D72BA0F634BBB3BC49A79350
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...........Q...............@..............................@%...........`... ............................

    File Icon

    Icon Hash:c09b43c39393d232

    Static PE Info

    General

    Entrypoint:0x46e780
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows cui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:1
    File Version Major:6
    File Version Minor:1
    Subsystem Version Major:6
    Subsystem Version Minor:1
    Import Hash:ff9f3a86709796c17211f9df12aae74d

    Authenticode Signature

    Signature Valid:true
    Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
    Signature Validation Error:The operation completed successfully
    Error Number:0
    Not Before, Not After
    • 10/26/2021 2:00:00 AM 10/26/2024 1:59:59 AM
    Subject Chain
    • CN="Rumble, Inc.", O="Rumble, Inc.", L=Austin, S=Texas, C=US, SERIALNUMBER=7045767, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization
    Version:3
    Thumbprint MD5:C2AC6C1202E6FAE1931C40F864EE37B8
    Thumbprint SHA-1:5504ED3E114CBCCCD2A15AD8B3FD69833CB3403C
    Thumbprint SHA-256:EFAFE0B960CF7EE859B089195C34DE6B1F7729F8DD7155FD0F8209266D542A11
    Serial:08E50F1FDE129402CA0BFBDC93F2D7FA
    Instruction
    jmp 00007F0F88D997F0h
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    pushfd
    cld
    dec eax
    sub esp, 000000E0h
    dec eax
    mov dword ptr [esp], edi
    dec eax
    mov dword ptr [esp+08h], esi
    dec eax
    mov dword ptr [esp+10h], ebp
    dec eax
    mov dword ptr [esp+18h], ebx
    dec esp
    mov dword ptr [esp+20h], esp
    dec esp
    mov dword ptr [esp+28h], ebp
    dec esp
    mov dword ptr [esp+30h], esi
    dec esp
    mov dword ptr [esp+38h], edi
    movups dqword ptr [esp+40h], xmm6
    movups dqword ptr [esp+50h], xmm7
    inc esp
    movups dqword ptr [esp+60h], xmm0
    inc esp
    movups dqword ptr [esp+70h], xmm1
    inc esp
    movups dqword ptr [esp+00000080h], xmm2
    inc esp
    movups dqword ptr [esp+00000090h], xmm3
    inc esp
    movups dqword ptr [esp+000000A0h], xmm4
    inc esp
    movups dqword ptr [esp+000000B0h], xmm5
    inc esp
    movups dqword ptr [esp+000000C0h], xmm6
    inc esp
    movups dqword ptr [esp+000000D0h], xmm7
    dec eax
    sub esp, 30h
    dec ecx
    mov edi, eax
    dec eax
    mov edx, dword ptr [00000028h]
    dec eax
    cmp edx, 00000000h
    jne 00007F0F88D9D51Eh
    dec eax
    mov eax, 00000000h
    jmp 00007F0F88D9D595h
    dec eax
    mov edx, dword ptr [edx+00000000h]
    dec eax
    cmp edx, 00000000h
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x51230000x4b8.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x52520000x1e60.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x4ba38000x45f0.data
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x51240000x12c930.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x455ef600x150.data
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1897f660x1898000unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x18990000x2cc23800x2cc2400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x455c0000xbc6aa00x519c00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata0x51230000x4b80x600False0.3411458333333333data3.866439120618795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0x51240000x12c9300x12ca00False0.06507438929313929data5.439772800174549IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .symtab0x52510000x40x200False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .rsrc0x52520000x1e600x2000False0.7877197265625data6.991016988993547IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    NameRVASizeTypeLanguageCountry
    RT_ICON0x52521300x1637PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
    RT_GROUP_ICON0x52537680x14dataEnglishUnited States
    RT_VERSION0x52537800x3e4dataEnglishUnited States
    RT_MANIFEST0x5253b680x2f2XML 1.0 document, ASCII textEnglishUnited States
    DLLImport
    kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetThreadPriority, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateWaitableTimerA, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States