ryuk | b2400db1a4af9607fdd6ee50e0f5926d8b9272f89eec93d4c30b56dc854afb7a

Analysis

max time kernel
74s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-06-2022 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nmap-7.92-setup.exe
Size

27.3MB
MD5

79ba1e7f3d16eb87bfebb79b01928421
SHA1

f0f0e7f7b802639a7e3f96b51d632f047291c37e
SHA256

b2400db1a4af9607fdd6ee50e0f5926d8b9272f89eec93d4c30b56dc854afb7a
SHA512

8c1dad5cd7829395b7df69cf1db789e2702cb7cdf58cb76d0e6b0c0f9b69261c57f8347d9d9185295d08e1d2fc6834db59f14ffd00a2be01c2d834130e394559

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Nmap\nselib\data\enterprise_numbers.txt

Family

ryuk

Ransom Note

# curl -L http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers | perl -lne 'if(/^\d/){$x=$_}elsif($x){print"$x\t$_";$x=undef}' 1 NxNetworks 2 IBM (https://w3.ibm.com/standards) 3 Carnegie Mellon 4 Unix 5 ACC 6 TWG 7 CAYMAN 8 PSI 9 ciscoSystems 10 NSC 11 Hewlett-Packard 12 Epilogue 13 U of Tennessee 14 BBN Technologies 15 Xylogics, Inc. 16 Timeplex 17 Canstar 18 Wellfleet 19 TRW 20 MIT 21 EON 22 Fibronics 23 Novell 24 Spider Systems 25 NSFNET 26 Hughes LAN Systems 27 Intergraph 28 Interlan 29 Vitalink Communications 30 Ulana 31 NSWC 32 Santa Cruz Operation 33 MRV Communications, In-Reach Product Division 34 Cray 35 Nortel Networks 36 DEC 37 Touch 38 Network Research Corp. 39 Baylor College of Medicine 40 NMFECC-LLNL 41 SRI 42 Sun Microsystems 43 3Com 44 CMC 45 SynOptics 46 Cheyenne Software 47 Prime Computer 48 MCNC/North Carolina 49 Chippcom 50 Optical Data Systems 51 gated 52 Enterasys Networks Inc. 53 Apollo Computers 54 DeskTalk Systems, Inc. 55 SSDS 56 Castle Rock Computing 57 MIPS Computer Systems 58 TGV, Inc. 59 Silicon Graphics, Inc. 60 University of British Columbia 61 Merit 62 NetEdge 63 Apple Computer, Inc. 64 Gandalf 65 Dartmouth College 66 David Systems 67 Reuter 68 Cornell 69 Michael Sabo 70 Locus Computing Corp. 71 NASA 72 Retix 73 Boeing 74 AT&T 75 Ungermann-Bass 76 Digital Analysis Corporation 77 LAN Manager 78 LogMatrix Inc (formerly 'OpenService Inc.') 79 Fujitsu Services 80 Auspex Systems, Inc 81 Lannet Company 82 Network Computing Devices 83 Raycom Systems 84 Pirelli Focom Ltd. 85 Datability Software Systems 86 Network Application Technology 87 Institute of Telematics, Karlsruhe Institute of Technology (KIT) 88 New York University 89 RND 90 InterCon Systems Corporation 91 Coral Network Corporation 92 Webster Computer Corporation 93 Frontier Technologies Corporation 94 Nokia 95 Allen-Bradely Company 96 CERN 97 Sigma Network Systems, Inc. 98 Emerging Technologies, Inc. 99 SNMP Research 100 Ohio State University 101 Ultra Network Technologies Julie 102 Microcom 103 Lockheed Martin 104 Micro Technology 105 Process Software Corporation 106 EMC Data General Division 107 Bull Company 108 Emulex Corporation 109 Warwick University Computing Services 110 NetScout Systems, Inc. (formerly 'Network General Corporation') 111 Oracle 112 Control Data Corporation 113 Hughes Aircraft Company 114 Synernetics, Inc. 115 Mitre 116 Hitachi, Ltd. 117 Telebit 118 Salomon Technology Services 119 NEC Corporation 120 Fibermux 121 FTP Software Inc. 122 Sony 123 Newbridge Networks Corporation 124 Racal-Datacom 125 CR SYSTEMS 126 DSET Corporation 127 Computone 128 Tektronix, Inc. 129 Interactive Systems Corporation 130 Banyan Systems Inc. 131 Sintrom Datanet Limited 132 Bell Canada 133 Olicom Enterprise Products Inc. 134 Rice University 135 OnStream Networks 136 Concurrent Computer Corporation 137 Basser 138 Luxcom 139 Artel 140 Independence Technologies, Inc.(ITI) 141 NetScout Systems, Inc. (formerly 'Frontier Software Development') 142 Digital Computer Limited 143 Eyring, Inc. 144 Case Communications 145 Penril DataComm, Inc. 146 American Airlines, Inc. 147 Sequent Computer Systems 148 Bellcore 149 Concord Communications 150 University of Washington 151 Develcon 152 Solarix Systems 153 Unifi Communications Corp. 154 Roadnet 155 Network Systems Corp. 156 ENE (European Network Engineering) 157 Dansk Data Elektronik A/S 158 Morningstar, Inc. 159 Dupont EOP 160 Legato Systems, Inc. 161 Motorola 162 European Space Agency (ESA) 163 Aethis sa/nv 164 Rad Data Communications Ltd. 165 OfficeNet, Inc. 166 Shiva Corporation 167 Fujikura America 168 Xlnt Designs INC (XDI) 169 Tandem Computers 170 BICC 171 D-Link Systems, Inc. 172 AMP, Inc. 173 Netlink 174 C. Itoh Electronics 175 Sumitomo Electric Industries (SEI) 176 DHL Systems, Inc. 177 Network Equipment Technologies 178 APTEC Computer Systems 179 Schneider & Koch & Co, Datensysteme GmbH 180 Hill Air Force Base 181 Kentrox 182 Japan Radio Co. 183 Versitron 184 Telecommunication Systems 185 Interphase 186 Toshiba Corporation 187 Clearpoint Research Corp. 188 Ascom 189 Fujitsu America 190 NovaQuest InfoSystems 191 NCR 192 Dr. Materna GmbH 193 Ericsson AB 194 Metaphor Computer Systems 195 Patriot Partners 196 The Software Group Limited (TSG) 197 Kalpana, Inc. 198 University of Waterloo 199 CCL/ITRI 200 Coeur Postel 201 Mitsubish Cable Industries, Ltd. 202 SMC 203 Crescendo Communication, Inc. 204 Goodall Software Engineering 205 Intecom 206 Victoria University of Wellington 207 Allied Telesis, Inc. 208 Cray Communications A/S 209 Protools 210 NIPPON TELEGRAPH AND TELEPHONE CORPORATION 211 Fujitsu Limited 212 Network Peripherals Inc. 213 Netronix, Inc. 214 University of Wisconsin Madison 215 NetWorth, Inc. 216 Tandberg Data A/S 217 Technically Elite Concepts, Inc. 218 Labtam Australia Pty. Ltd. 219 Republic Telcom Systems, Inc. 220 ADI Systems, Inc. 221 Microwave Bypass Systems, Inc. 222 Pyramid Technology Corp. 223 Unisys_Corp 224 LANOPTICS LTD., Israel 225 NKK Corporation 226 CODIMA Technologies Ltd 227 Acals 228 ASTEC, Inc. 229 Delmarva Power 230 Telematics International, Inc. 231 Fujitsu Technology Solutions GmbH (formerly 'Fujitsu Siemens Computers') 232 Compaq 233 NetManage, Inc. 234 NC State University 235 Empirical Tools and Technologies 236 Samsung Electronics Co., LTD. 237 Takaoka Electric Mfg. Co., Ltd. 238 NxNetworks 239 WINDATA 240 RC International A/S 241 Netexp Research 242 Internode Systems Pty Ltd 243 netCS Informationstechnik GmbH 244 Lantronix 245 Avatar Consultants 246 Furukawa Electoric Co. Ltd. 247 ND SatCom - Gesellschaft für SatellitenkommunikationssystemembH 248 Richard Hirschmann GmbH & Co. 249 G2R Inc. 250 University of Michigan 251 Netcomm, Ltd. 252 Sable Technology Corporation 253 Xerox 254 Conware Computer Consulting GmbH 255 Compatible Systems Corp. 256 Scitec Communications Systems Ltd. 257 Transarc Corporation 258 Matsushita Electric Industrial Co., Ltd. 259 ACCTON Technology 260 Star-Tek, Inc. 261 ADC Codenoll Technology Corporation 262 Formation, Inc. 263 Seiko Instruments, Inc. 264 RCE (Reseaux de Communication d'Entreprise S.A.) 265 Xenocom, Inc. 266 Nexans Deutschland Industries 267 Systech Computer Corporation 268 Visual 269 CSC Airline Solutions Denmark A/S 270 Zenith Electronics Corporation 271 TELECOM FINLAND 272 BinTec Communications GmbH 273 EUnet Germany 274 PictureTel Corporation 275 Michigan State University 276 GTE Government Systems - Network Management Organization 277 Cascade Communications Corp. 278 APRESIA Systems, Ltd. (formerly 'Hitachi Cable, Ltd.') 279 Olivetti 280 Vitacom Corporation 281 INMOS 282 AIC Systems Laboratories Ltd. 283 Cameo Communications, Inc. 284 Diab Data AB 285 Olicom A/S 286 Digital-Kienzle Computersystems 287 CSELT(Centro Studi E Laboratori Telecomunicazioni) 288 Electronic Data Systems 289 Brocade Communications Systems, Inc. (formerly 'McData Corporation') 290 Harris Corporation 291 Technology Dynamics, Inc. 292 DATAHOUSE Information Systems Ltd. 293 Teltrend (NZ) Limited 294 Texas Instruments 295 PlainTree Systems Inc. 296 Hedemann Software Development 297 Fuji Xerox Co., Ltd. 298 Asante Technology 299 Stanford University 300 Digital Link 301 Raylan Corporation 302 Commscraft 303 Hughes Communications, Inc. 304 Farallon Computing, Inc. 305 GE Information Services 306 Gambit Computer Communications 307 Livingston Enterprises, Inc. 308 Star Technologies 309 Micronics Computers Inc. 310 Basis, Inc. 311 Microsoft 312 US West Advance Technologies 313 University College London 314 Eastman Kodak Company 315 Network Resources Corporation 316 Atlas Telecom 317 Bridgeway 318 American Power Conversion Corp. 319 DOE Atmospheric Radiation Measurement Project 320 VerSteeg CodeWorks 321 Verilink Corp 322 Sybus Corportation 323 Tekelec 324 NASA Ames Research Center 325 Simon Fraser University 326 Fore Systems, Inc. 327 Centrum Communications, Inc. 328 NeXT Computer, Inc. 329 Netcore, Inc. 330 Northwest Digital Systems 331 Andrew Corporation 332 Digi International 333 Computer Network Technology 334 Lotus Development Corp. 335 MICOM Communication Corporation 336 ASCII Corporation 337 PUREDATA Research 338 NTT DATA 339 Siemens Industry Inc. 340 Kendall Square Research (KSR) 341 ORNL 342 Network Innovations, Inc. 343 Intel Corporation 344 Compuware Corporation 345 Epson Research Center 346 Fibernet 347 Dot Hill Systems 348 American Express Company 349 Compu-Shack 350 Parallan Computer, Inc. 351 Stratacom 352 Open Networks Engineering, Inc. 353 ATM Forum 354 SSD Management, Inc. 355 Automated Network Management, Inc. 356 Magnalink Communications Corporation 357 Kasten Chase Applied Research 358 Skyline Technology, Inc. 359 Nu-Mega Technologies, Inc. 360 Morgan Stanley & Co. International PLC 361 Integrated Business Network 362 L & N Technologies, Ltd. 363 Cincinnati Bell Information Systems, Inc. 364 RAMA Technologies 365 MICROGNOSIS 366 Datapoint Corporation 367 RICOH Co. Ltd. 368 Axis Communications AB 369 Pacer Software 370 3COM/Axon 371 Alebra Technologies, Inc. 372 GSI 373 Tatung Co., Ltd. 374 DIS Research Ltd. 375 Quotron Systems, Inc. 376 Dassault Electronique 377 Corollary, Inc. 378 SEEL, Ltd. 379 Lexcel 380 pier64 381 OST 382 Megadata Pty Ltd. 383 LLNL Livermore Computer Center 384 Dynatech Communications 385 Symplex Communications Corp. 386 Tribe Computer Works 387 Taligent, Inc. 388 Symbol Technologies, Inc. 389 Lancert 390 Alantec 391 Ridgeback Solutions 392 Metrix, Inc. 393 Symantec Corporation 394 NRL Communication Systems Branch 395 I.D.E. Corporation 396 Panasonic Electric Works Co., Ltd. 397 MegaPAC 398 Tyco Electronics 399 Hitachi Computer Products (America), Inc. 400 METEO FRANCE 401 PRC Inc. 402 Wal-Mart Stores, Inc. 403 Nissin Electric Company, Ltd. 404 Distributed Support Information Standard 405 SMDS Interest Group (SIG) 406 SolCom Systems Ltd. 407 Bell Atlantic 408 Advanced Multiuser Technologies Corporation 409 Mitsubishi Electric Corporation 410 C.O.L. Systems, Inc. 411 University of Auckland 412 Distributed Management Task Force (DMTF) 413 Klever Computers, Inc.Tom Su 414 Amdahl Corporation 415 JTEC Pty, Ltd. 416 Matra Communcation 417 HAL Computer Systems 418 Lawrence Berkeley Laboratory 419 Dale Computer Corporation 420 University of Tuebingen 421 Bytex Corporation 422 Cogwheel, Inc. 423 Lanwan Technologies 424 Thomas-Conrad Corporation 425 TxPort 426 Compex, Inc. 427 Evergreen Systems, Inc. 428 HNV, Inc. 429 UTStarcom Incorporated 430 Canada Post Corporation 431 Open Systems Solutions, Inc. 432 Toronto Stock Exchange 433 Mamakos\TransSys Consulting 434 EICON 435 Jupiter Systems 436 SSTI 437 Grand Junction Networks 438 Pegasus Solutions, Inc. 439 Edward D. Jones and Company 440 Amnet, Inc. 441 Chase Research 442 BMC Software 443 Gateway Communications, Inc. 444 Peregrine Systems 445 Daewoo Telecom 446 Norwegian Telecom Research 447 WilTel 448 Ericsson-Camtec 449 Codex 450 Basis 451 AGE Logic 452 INDE Electronics 453 Isode Limited 454 J.I. Case 455 Trillium 456 Bacchus Inc. 457 MCC 458 Stratus Computer 459 Quotron 460 Beame & Whiteside 461 Cellular Technical Services 462 Shore Microsystems, Inc. 463 Telecommunications Techniques Corp. 464 DNPAP (Technical University Delft) 465 Plexcom, Inc. 466 Tylink 467 Brookhaven Laboratory 468 Computer Communication Systems 469 Norand Corporation 470 MUX-LAP 471 Premisys Communications, Inc 472 Bell South Telecommunications 473 J. Stainsbury PLC 474 Manage Operations 475 Wandel and Goltermann Technologies 476 Vertiv (formerly 'Emerson Computer Power') 477 Network Software Associates 478 Procter and Gamble 479 Meridian Technology Corporation 480 QMS, Inc. 481 Network ExpressTom Jarema 482 LANcity Corporation 483 Dayna Communications, Inc. 484 kn-X Ltd. 485 Sync Research, Inc. 486 PremNet 487 SIAC 488 New York Stock Exchange 489 American Stock Exchange 490 FCR Software, Inc. 491 National Medical Care, Inc. 492 DCS Dialog Communication Systems Aktiengesellschaft Berlin 493 NorTele 494 Madge Networks, Inc. 495 Memotec Communications 496 ON 497 Leap Technology, Inc. 498 General DataComm, Inc. 499 ACE Communications, Ltd. 500 ADP 501 European Agency of Digital Trust (formerly 'Programa SPRITEL') 502 Adacom 503 Metrodata Ltd 504 Ellemtel Telecommunication Systems Laboratories 505 Arizona Public Service 506 NETWIZ, Ltd., 507 Science and Engineering Research Council (SERC) 508 508 Credit Suisse First Boston - Watcher 509 Hadax Electronics Inc. 510 VTKK 511 North Hills Israel Ltd. 512 TECSIEL 513 Bayerische Motoren Werke (BMW) AG 514 CNET Technologies 515 MCI 516 Human Engineering AG (HEAG) 517 FileNet Corporation 518 Kongsberg Gruppen ASA (formerly 'NFT-Ericsson') 519 Dun & Bradstreet 520 Intercomputer Communications 521 Defense Intelligence Agency 522 Telesystems SLW Inc. 523 APT Communications 524 Delta Airlines 525 California Microwave 526 Avid Technology Inc 527 Integro Advanced Computer Systems 528 RPTI 529 Ascend Communications Inc. 530 Eden Computer Systems Inc. 531 Kawasaki-Steel Corp 532 Systems Management Infrasture, Barclays Bank PLC 533 B.U.G., Inc. 534 Eaton Corporation 535 Superconducting Supercollider Lab. 536 Triticom 537 Universal Instruments Corp. 538 Information Resources, Inc. 539 Kentrox 540 Crypto AG 541 Infinite Networks, Ltd. 542 Tangram Enterprise Solutions, Inc. 543 Alebra Technologies, Inc. 544 Equinox Systems, Inc. 545 Hayes Microcomputer Products 546 Empire Technologies Inc. 547 Glaxochem, Ltd. 548 Software Professionals, Inc 549 Agent Technology, Inc. 550 Dornier GMBH 551 Telxon Corporation 552 Entergy Corporation 553 GarrettCom, Inc (formerly 'Garrett Communications') 554 Agile Networks, Inc. 555 Larscom 556 Stock Equipment 557 ITT Corporation 558 Universal Data Systems, Inc. 559 Sonix Communications, Ltd. 560 Paul Freeman Associates, Inc. 561 John S. Barnes, Corp. 562 Northern Telecom, Ltd. 563 CAP Debris 564 Telco Systems NAC 565 Tosco Refining Co 566 Russell Info Sys 567 University of Salford 568 NetQuest Corp. 569 Armon Networking Ltd. 570 IA Corporation 571 AU-System Communicaton AB 572 GoldStar Information & Communications, Ltd. 573 SECTRA AB 574 ONEAC Corporation 575 Tree Technologies 576 General Dynamics C4 Systems 577 Geneva Software, Inc. 578 Interlink Computer Sciences, Inc. 579 Bridge Information Systems, Inc. 580 Leeds and Northrup Australia (LNA) Nigel Cook 581 CSG Systems International (formerly 'Intec Telecom Systems') 582 Newport Systems Solutions, Inc. 583 azel Corporation 584 ROBOTIKER 585 PeerLogic Inc. 586 Digital Transmittion Systems 587 Far Point Communications 588 Xircom 589 Mead Data Central 590 Royal Bank of Canada 591 Advantis, Inc. 592 Chemical Banking Corp. 593 Eagle Technology 594 BT 595 Radix BV 596 TAINET Communication System Corp. 597 Comtek Services Inc. 598 Fair Isaac Corporation 599 AST Research Inc. 600 Soft*Star s.r.l. Ing. Enrico Badella 601 Bancomm 602 Trusted Information Systems, Inc. 603 Harris & Jeffries, Inc. 604 Axel Technology Corp. 605 NetTest Inc. 606 CAP debis 607 Lachman Technology, Inc. 608 Galcom Networking Ltd. 609 BAZIS 610 SYNAPTEL 611 Investment Management Services, Inc. 612 Taiwan Telecommunication Lab 613 Anagram Corporation 614 Univel 615 University of California, San Diego 616 CompuServe 617 Telstra - OTC Australia 618 Westinghouse Electric Corp. 619 DGA Ltd. 620 Elegant Communications Inc. 621 Experdata 622 Unisource Business Networks Sweden AB 623 Molex, Inc. 624 Quay Financial Software 625 VMX Inc. 626 Hypercom, Inc. 627 University of Guelph 628 DIaLOGIKa 629 NBASE Switch Communication 630 Anchor Datacomm B.V. 631 PACDATA 632 University of Colorado 633 Tricom Communications Limited 634 Santix Software GmbH 635 Encore Networks, Inc. 636 Georgia Institute of Technology 637 Alcatel-Lucent (formerly 'Alcatel Data Network') 638 GTECH 639 UNOCAL Corporation 640 First Pacific Network 641 Lexmark International 642 Qnix Computer 643 Jigsaw Software Concepts (Pty) Ltd. 644 Eastern Research Inc. 645 nsgdata.com Inc 646 SEIKO Communication Systems, Inc. 647 Unified Management 648 RADLINX Ltd. 649 Microplex Systems Ltd. 650 Trio Information Systems AB 651 Phoenix Microsystems 652 Distributed Systems International, Inc. 653 Evolving Systems, Inc. 654 SAT GmbH 655 CeLAN Technology, Inc. 656 Landmark Systems Corp. 657 Netone Systems Co., Ltd. 658 Loral Data Systems 659 Cellware Broadband Technology 660 MuSys Corporation 661 IMC Netw

URLs

http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers

https://w3.ibm.com/standards

http://rpm5.org

http://www.arduino.cc/

http://www.nashire.com

http://www.sentinel-engine.org

http://www.ingnitia.com

http:\\citvo.ru

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETCAEE.tmp	NPFInstall.exe
File created	C:\Windows\system32\DRIVERS\SETCAEE.tmp	NPFInstall.exe
File opened for modification	C:\Windows\system32\DRIVERS\npcap.sys	NPFInstall.exe

Executes dropped EXE 6 IoCs

pid	Process
1792	npcap-1.50.exe
848	NPFInstall.exe
1380	NPFInstall.exe
824	NPFInstall.exe
1888	NPFInstall.exe
300	zenmap.exe

Loads dropped DLL 61 IoCs

pid	Process
1468	nmap-7.92-setup.exe
1468	nmap-7.92-setup.exe
1468	nmap-7.92-setup.exe
1792	npcap-1.50.exe
1792	npcap-1.50.exe
1792	npcap-1.50.exe
1792	npcap-1.50.exe
1280	Process not Found
1792	npcap-1.50.exe
1792	npcap-1.50.exe
1792	npcap-1.50.exe
592	Process not Found
1792	npcap-1.50.exe
1688	Process not Found
1792	npcap-1.50.exe
1632	Process not Found
1396	Process not Found
1396	Process not Found
1792	npcap-1.50.exe
1792	npcap-1.50.exe
1792	npcap-1.50.exe
1792	npcap-1.50.exe
1792	npcap-1.50.exe
1468	nmap-7.92-setup.exe
1468	nmap-7.92-setup.exe
1468	nmap-7.92-setup.exe
1468	nmap-7.92-setup.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe
300	zenmap.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Packet.dll	npcap-1.50.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\SET4FE7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_93536e242c20956d\npcap.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	NPFInstall.exe
File created	C:\Windows\SysWOW64\wpcap.dll	npcap-1.50.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.50.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\SET4FD6.tmp	DrvInst.exe
File created	C:\Windows\system32\WlanHelper.exe	npcap-1.50.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.50.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\NPCAP.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.50.exe
File created	C:\Windows\system32\wpcap.dll	npcap-1.50.exe
File created	C:\Windows\system32\Packet.dll	npcap-1.50.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	NPFInstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_93536e242c20956d\NPCAP.PNF	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.50.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_93536e242c20956d\npcap.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	NPFInstall.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.50.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\SET4FE6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\SET4FE7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.50.exe
File created	C:\Windows\system32\NpcapHelper.exe	npcap-1.50.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.50.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\SysWOW64\NpcapHelper.exe	npcap-1.50.exe
File created	C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\SET4FD6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\SET4FE6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\SysWOW64\WlanHelper.exe	npcap-1.50.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.50.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\npcap.sys	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nmap\scripts\netbus-version.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\quake3-info.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\redis-info.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smtp-vuln-cve2010-4344.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\afp-ls.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\mikrotik-routeros-brute.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\mysql-enum.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\nessus-brute.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\drda.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\nbns-interfaces.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ssl-date.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\locale\hr\LC_MESSAGES\zenmap.mo	nmap-7.92-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\libgdk-win32-2.0-0.dll	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\bacnet-info.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\dns-ip6-arpa-scan.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-exif-spider.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-vuln-cve2017-5689.nse	nmap-7.92-setup.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files (x86)\Nmap\py2exe\library.zip	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-feed.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb2-vuln-uptime.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\gps.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libxml2-2.dll	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\irc-info.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ms-sql-dac.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\ldap.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-pppoe-discover.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-cors.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-iis-short-name-brute.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\iax2-version.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ftp-vsftpd-backdoor.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\targets-ipv6-multicast-invalid-dst.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\redhat_32.png	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\radialnet\router.png	nmap-7.92-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\gtk._gtk.pyd	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-phpmyadmin-dir-traversal.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\snmp-brute.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\nsedebug.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\rmi.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\irc.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\http-default-accounts-fingerprints.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\snmpcommunities.lst	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\db2-das-info.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-svn-info.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\rusers.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\dnssd.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\psexec\experimental.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\etc\gtk-2.0\gtk.immodules	nmap-7.92-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\_ctypes.pyd	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nse_main.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-cakephp-version.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-put.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\ncp.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-majordomo2-dir-traversal.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\isns.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\match.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\etc\bash_completion.d\gdbus-bash-completion.sh	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\firewall-bypass.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-form-fuzzer.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\pcworx-info.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\anyconnect.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\snmp.lua	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\dns-nsec-enum.nse	nmap-7.92-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ftp-vuln-cve2010-4221.nse	nmap-7.92-setup.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	NPFInstall.exe
File created	C:\Windows\INF\oem0.PNF	pnputil.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	NPFInstall.exe
File created	C:\Windows\INF\oem1.PNF	pnputil.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000400000001e242-57.dat	nsis_installer_1
behavioral1/files/0x000400000001e242-57.dat	nsis_installer_2
behavioral1/files/0x000400000001e242-59.dat	nsis_installer_1
behavioral1/files/0x000400000001e242-59.dat	nsis_installer_2
behavioral1/files/0x000400000001e242-61.dat	nsis_installer_1
behavioral1/files/0x000400000001e242-61.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2016	SCHTASKS.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1812	regedit.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
848	NPFInstall.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
460	Process not Found
460	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	NPFInstall.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	588	pnputil.exe
Token: SeRestorePrivilege	824	NPFInstall.exe
Token: SeRestorePrivilege	824	NPFInstall.exe
Token: SeRestorePrivilege	824	NPFInstall.exe
Token: SeRestorePrivilege	824	NPFInstall.exe
Token: SeRestorePrivilege	824	NPFInstall.exe
Token: SeRestorePrivilege	824	NPFInstall.exe
Token: SeRestorePrivilege	824	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	1888	NPFInstall.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	1252	rundll32.exe
Token: SeRestorePrivilege	1252	rundll32.exe
Token: SeRestorePrivilege	1252	rundll32.exe
Token: SeRestorePrivilege	1252	rundll32.exe
Token: SeRestorePrivilege	1252	rundll32.exe
Token: SeRestorePrivilege	1252	rundll32.exe
Token: SeRestorePrivilege	1252	rundll32.exe
Token: SeBackupPrivilege	1080	vssvc.exe
Token: SeRestorePrivilege	1080	vssvc.exe
Token: SeAuditPrivilege	1080	vssvc.exe
Token: SeBackupPrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	944	DrvInst.exe
Token: SeRestorePrivilege	1280	DrvInst.exe
Token: SeRestorePrivilege	1280	DrvInst.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1792	1468	nmap-7.92-setup.exe	28
PID 1468 wrote to memory of 1792	1468	nmap-7.92-setup.exe	28
PID 1468 wrote to memory of 1792	1468	nmap-7.92-setup.exe	28
PID 1468 wrote to memory of 1792	1468	nmap-7.92-setup.exe	28
PID 1468 wrote to memory of 1792	1468	nmap-7.92-setup.exe	28
PID 1468 wrote to memory of 1792	1468	nmap-7.92-setup.exe	28
PID 1468 wrote to memory of 1792	1468	nmap-7.92-setup.exe	28
PID 1792 wrote to memory of 848	1792	npcap-1.50.exe	29
PID 1792 wrote to memory of 848	1792	npcap-1.50.exe	29
PID 1792 wrote to memory of 848	1792	npcap-1.50.exe	29
PID 1792 wrote to memory of 848	1792	npcap-1.50.exe	29
PID 1792 wrote to memory of 908	1792	npcap-1.50.exe	31
PID 1792 wrote to memory of 908	1792	npcap-1.50.exe	31
PID 1792 wrote to memory of 908	1792	npcap-1.50.exe	31
PID 1792 wrote to memory of 908	1792	npcap-1.50.exe	31
PID 1792 wrote to memory of 1380	1792	npcap-1.50.exe	33
PID 1792 wrote to memory of 1380	1792	npcap-1.50.exe	33
PID 1792 wrote to memory of 1380	1792	npcap-1.50.exe	33
PID 1792 wrote to memory of 1380	1792	npcap-1.50.exe	33
PID 1380 wrote to memory of 588	1380	NPFInstall.exe	35
PID 1380 wrote to memory of 588	1380	NPFInstall.exe	35
PID 1380 wrote to memory of 588	1380	NPFInstall.exe	35
PID 1792 wrote to memory of 824	1792	npcap-1.50.exe	37
PID 1792 wrote to memory of 824	1792	npcap-1.50.exe	37
PID 1792 wrote to memory of 824	1792	npcap-1.50.exe	37
PID 1792 wrote to memory of 824	1792	npcap-1.50.exe	37
PID 1792 wrote to memory of 1888	1792	npcap-1.50.exe	39
PID 1792 wrote to memory of 1888	1792	npcap-1.50.exe	39
PID 1792 wrote to memory of 1888	1792	npcap-1.50.exe	39
PID 1792 wrote to memory of 1888	1792	npcap-1.50.exe	39
PID 944 wrote to memory of 1252	944	DrvInst.exe	42
PID 944 wrote to memory of 1252	944	DrvInst.exe	42
PID 944 wrote to memory of 1252	944	DrvInst.exe	42
PID 1792 wrote to memory of 2016	1792	npcap-1.50.exe	46
PID 1792 wrote to memory of 2016	1792	npcap-1.50.exe	46
PID 1792 wrote to memory of 2016	1792	npcap-1.50.exe	46
PID 1792 wrote to memory of 2016	1792	npcap-1.50.exe	46
PID 1468 wrote to memory of 1796	1468	nmap-7.92-setup.exe	48
PID 1468 wrote to memory of 1796	1468	nmap-7.92-setup.exe	48
PID 1468 wrote to memory of 1796	1468	nmap-7.92-setup.exe	48
PID 1468 wrote to memory of 1796	1468	nmap-7.92-setup.exe	48
PID 1796 wrote to memory of 1812	1796	regedt32.exe	49
PID 1796 wrote to memory of 1812	1796	regedt32.exe	49
PID 1796 wrote to memory of 1812	1796	regedt32.exe	49
PID 1796 wrote to memory of 1812	1796	regedt32.exe	49

C:\Users\Admin\AppData\Local\Temp\nmap-7.92-setup.exe
"C:\Users\Admin\AppData\Local\Temp\nmap-7.92-setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\npcap-1.50.exe
  "C:\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\npcap-1.50.exe" /loopback_support=no
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\nst2945.tmp\NPFInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\nst2945.tmp\NPFInstall.exe" -n -check_dll
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Windows\SysWOW64\certutil.exe
    certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nst2945.tmp\combined.p7b"
    3⤵
    PID:908
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -c
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\system32\pnputil.exe
      pnputil.exe -e
      4⤵
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:588
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\SysWOW64\SCHTASKS.EXE
    SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'C:\Program Files\Npcap\CheckStatus.bat'" /NP
    3⤵
    - Creates scheduled task(s)
    PID:2016
- C:\Windows\SysWOW64\regedt32.exe
  regedt32 /S "C:\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\nmap_performance.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\nmap_performance.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1812

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5ff80867-6651-0916-10ce-6c5ce68edc7a}\NPCAP.inf" "9" "605306be3" "0000000000000588" "WinSta0\Default" "00000000000003D8" "208" "C:\Program Files\Npcap"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3607fdd8-455d-2754-f97f-7f3013ac1c32} Global\{443a02a9-9eeb-78b1-4fd5-a610358e8a5c} C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\NPCAP.inf C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\npcap.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "00000000000005C0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Program Files (x86)\Nmap\zenmap.exe
"C:\Program Files (x86)\Nmap\zenmap.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Npcap\npcap.sys

Filesize
61KB

MD5
9eaeac705f38e8fc9f0295504a31e1fe

SHA1
0c152ef5f6ccfa1d6b26a5d3e07597528aae121d

SHA256
e8e4cab0a920c4dc5987b4905b01dda61f9a557565677f5a917e2d669b79fd04

SHA512
67c17ae2db4e535d5914d65f7c2431986d6490f5d1cafd5dfef64ad76d3d64f35529fb6ec87d1dfbd0a4b7ddd8c0f6de5642f36f52f7661f417a1a68f41661da

Download Submit
C:\Program Files (x86)\Nmap\PYTHON27.DLL

Filesize
2.5MB

MD5
77f43ca8468be239a76a12c2d640f1d9

SHA1
8a30bf4db3e95eecbdc694f501e9d670b76f5019

SHA256
a92dcb68cb58be8fbc695893ab8c9975a37b17f4cf21fc69cf802b48b2b5350e

SHA512
98791cd05b81e5a1daaddb3ddf0cdbb57f38fe4bab1397c2d825cf11d3fcdf4d8cc3a6d8f465cace72a04fea5e5c178e64738c48dc2871c56375a00d6f7dc94c

Download Submit
C:\Program Files (x86)\Nmap\py2exe\bz2.pyd

Filesize
69KB

MD5
813c016e2898c6a2c1825b586de0ae61

SHA1
7113efcccb6ab047cdfdb65ba4241980c88196f4

SHA256
693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724

SHA512
dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad

Download Submit
C:\Program Files (x86)\Nmap\py2exe\glib._glib.pyd

Filesize
57KB

MD5
0de636503e43c4eb00e80927bc9bda97

SHA1
a332441ccc490fcfcaf913b657ec9ef5d1ceed08

SHA256
f820c17ae8327aac088cf0f98fef17ef34fce27dda19ad279abbbc1aaac0293c

SHA512
0e9da1a0c643689328e888bade660868b111ab9008c3586fc1595ae990a6763d426779bfee6dfb0451c11bda55f098d413f5eb5e3b163c3cf3bf5feadc26819c

Download Submit
C:\Program Files (x86)\Nmap\py2exe\intl.dll

Filesize
148KB

MD5
eb2d4c4d4a527bc88a69a16cc99afcf5

SHA1
b326ec4919e1ec9595c064b24853b1e6b71530a3

SHA256
682d4277092472cac940558f9e679b44a6394159e49c9bbda299e33bfc6fdc92

SHA512
009f31cd68a87a40aef4be07af805ab50fac03f4c621144b170d9d3313b1b6a73415f6dd878b048f85afc1b662659a88e4cc89e9a8c76f631f6f1b79d57fd0b0

Download Submit
C:\Program Files (x86)\Nmap\py2exe\libglib-2.0-0.dll

Filesize
1.2MB

MD5
18e88b04da123bf05b07ff60a4e96654

SHA1
f46cd8411e579da9f31749809a5707fecb28b7db

SHA256
c0f35b0e5f9b25f36bf9ef885a8135e7dcdb77d425f8ac88124d90cf2bf32fde

SHA512
735158b60194205c6262dae0689599babdc2bd0e10d0d6a71c1e1c56695caf432b207e439b5f84a3995c2d8aef3ab26706cf796848c0af0ddd340d388a76f1d4

Download Submit
C:\Program Files (x86)\Nmap\py2exe\libgthread-2.0-0.dll

Filesize
43KB

MD5
7ad6f303082b382bff7bafbab246c61f

SHA1
8d94c4d4b0633a80e28504a3c694dd2bae252854

SHA256
ee2e8485fdbfb2c5626099ccafcdc41ac60414dffd5c6c3befaf786634baf5c3

SHA512
eee840f217ff65b22efd16e78fb898990116efdfb6ee1cbf9d9fb64b9f3209f18860f6477c1df60352fb242671d973dcac043134748f823d210fc393ed4e2598

Download Submit
C:\Program Files (x86)\Nmap\py2exe\library.zip

Filesize
1.1MB

MD5
e800eb9e1126182929563ecb7146f038

SHA1
79105e16895267bb833083109a7a7bdbc3a431c2

SHA256
36b893c4e273e8e7ff4444e4945d0f6487a633917d56aeed3dcfc19aad0007ef

SHA512
dc6ee6c2918b1a44e2b3f8ca50bad2ead39c2634d5e110e12aaeeeb973e839debd3213e92a83712c1e9ea47dc554fdb7f1fd45a067d8a53bfc07cdcbff14bce2

Download Submit
C:\Program Files (x86)\Nmap\zenmap.exe

Filesize
438KB

MD5
8c6382091dbb95c34e85ce139e9c014c

SHA1
f99b0938c3c9bdf15f05ab902ddd480641817d6b

SHA256
42d68b1d11b1c09ecbdf540d66ba41dc19260ad17f71a3e31c9da72ec1bd359a

SHA512
1034449c9f75510a5630e3d5dd53bba3ac98ff2b16dc074fe7e74dfed48469bd5891817ef2915964a64c56004ac5289f82506335d5cc3574849212bfe85df559

Download Submit
C:\Program Files\Npcap\NPCAP.inf

Filesize
8KB

MD5
cdb01d0a8b69a22b78cf37089c13d344

SHA1
fd911a8869f4e703da873918028a7bf300f63f64

SHA256
8fd04028332a7caa1e58cec1925d57f651eeed94ac8c4f96120535790acb9cf2

SHA512
06926d10f62eba5b91b684a39d17b13682da9fd84416b553ecf3eb819ea8eeecb3b934e99f239030e2280954178cda539f348ca59683a5ad98a83e9ca436e80f

Download Submit
C:\Program Files\Npcap\NPCAP_wfp.inf

Filesize
2KB

MD5
0d9000e235bd979b6b83c80b4d2117a1

SHA1
ed62801343781f608d61882ba9b42cb603430fdc

SHA256
ec95be0a6c4acba360a1aecafd9440625a25196906c731ca443ebeae8edf8579

SHA512
e9225004a2c6d989ac0b6fbc5f660ff6f6753884fbc2e08277192748c2a2a696e5052ee2b0cf7b13893dd839e06f1013f20602f882f66eb905ffa619c4ae31a8

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
1KB

MD5
dceeae56b6c73123f9d72c8464a0dc7e

SHA1
52ad05034cf7870e870477552f88ef02f3b0129f

SHA256
5294b14bce4311faaa3b7a31db17e1bde5aa1e018dedb0d62fd85ee398d0866a

SHA512
245e56eb022e0568860dff2a726e9fc7c615ebd3e2c74eb8ab2acbb2f45db93b412d40e7a7e9872d1fc041f65c83f256902d02a2ff94db1f6ab5e4577ab8254a

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
f3969721ccf6e5ebea64d14d6e261d90

SHA1
a9f4e8e919f1ffc1a01835e79953ea1b471fc8cd

SHA256
8f1981ce8a1d22c4bcfea8cf5918f6a83faa21fbf7db3849edb5aba1285714e3

SHA512
ae28b541347f2e1ed564d359c66f42f54226a6d6f952764577a44aad6437c920519c38061a09f75e056cf69cd4739cde8324dad84ee641e31885953980ce8aef

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
913214a2ec44bfcf7ebf304f3b8a61a9

SHA1
3accaefc05f6ac7ad66d306e3c21abd11ef9d0e4

SHA256
f0c581472f44a497a4f47719bb8be8fc2d2503349ea23a3fa0e877ea064eb9f6

SHA512
5a24bfb20f1e2367eb43cce0badfc56f192acae48efe94de97ce4fed16fa5ee973811e3f5a8f400a793e474ff34b2ddd8c8ba078aa7e4689b6b8204ed223ee1f

Download Submit
C:\Program Files\Npcap\npcap.cat

Filesize
9KB

MD5
149442be3ad60bad66727a94638f7dbb

SHA1
64045d15918b1b4b19affb9b9979f74b306f57aa

SHA256
2e32f2cc5d6718fdfc3f1c5960d884863a11cbd524f424b7776869c39154fb4b

SHA512
3378c92969e5f1fcd9bdf66a9db6e8faaa137ccf7fc949408650e067b8e4a8b4a9fcffaf0f4e2131ab1c0a7691a3c1b128a3a95aa4749e887b30ccca54bfb12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\nmap_performance.reg

Filesize
192B

MD5
3cd4a36a0dcc9e0e79d1df1d6cc712df

SHA1
a9b6fe5c0e01aec042e68c2bc700a721c4ecc995

SHA256
e77d7b5158ec99d19e552025facf50f477a2f2b1dc3ef2f198520cfa76e9707f

SHA512
d3d5ab7cc0943dd7ae85445449249109eeb5f871e1c7baf3139cd9e2d3858f70040102dc30b089fc99ee82ebbf99335c2323b1d070552cf7e565a1ac70ef2487

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\npcap-1.50.exe

Filesize
1.0MB

MD5
34681aaf9fcba7623c89d386390165ac

SHA1
6cbf981ffe95d9ba48cfec709eeca473b9775d01

SHA256
4af9538091ed309ebc57bc35897ccb053012b8a166c32bae0f62fbc4fbf11e89

SHA512
d5aafc7392fbe11a7561a32c85d6ab198ffa4680916db97faf4be1646f4293d63fa667b4eb558c32caf44dd01a40aed065b07b608d335829dd1834705305e9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\npcap-1.50.exe

Filesize
1.0MB

MD5
34681aaf9fcba7623c89d386390165ac

SHA1
6cbf981ffe95d9ba48cfec709eeca473b9775d01

SHA256
4af9538091ed309ebc57bc35897ccb053012b8a166c32bae0f62fbc4fbf11e89

SHA512
d5aafc7392fbe11a7561a32c85d6ab198ffa4680916db97faf4be1646f4293d63fa667b4eb558c32caf44dd01a40aed065b07b608d335829dd1834705305e9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst2945.tmp\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst2945.tmp\combined.p7b

Filesize
9KB

MD5
ecc8b82379b0ce4499e4d8c5dc631bda

SHA1
a070af81dd65d21aa07e218f6815fe4b415bdf39

SHA256
3eda497554db9bb53a359165a830d187ecb9a35199311f806fee608f9f904ee0

SHA512
46a028d98042e0ccae4458e92fcc82635cc6f6c61e9f8ae9660a0bd16b13c9b3eddeb551c1ba01ad61cead298b7c38ba87cb20cc1997599d3f65144e121f6f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5FF80~1\npcap.sys

Filesize
61KB

MD5
9eaeac705f38e8fc9f0295504a31e1fe

SHA1
0c152ef5f6ccfa1d6b26a5d3e07597528aae121d

SHA256
e8e4cab0a920c4dc5987b4905b01dda61f9a557565677f5a917e2d669b79fd04

SHA512
67c17ae2db4e535d5914d65f7c2431986d6490f5d1cafd5dfef64ad76d3d64f35529fb6ec87d1dfbd0a4b7ddd8c0f6de5642f36f52f7661f417a1a68f41661da

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5ff80867-6651-0916-10ce-6c5ce68edc7a}\NPCAP.inf

Filesize
8KB

MD5
cdb01d0a8b69a22b78cf37089c13d344

SHA1
fd911a8869f4e703da873918028a7bf300f63f64

SHA256
8fd04028332a7caa1e58cec1925d57f651eeed94ac8c4f96120535790acb9cf2

SHA512
06926d10f62eba5b91b684a39d17b13682da9fd84416b553ecf3eb819ea8eeecb3b934e99f239030e2280954178cda539f348ca59683a5ad98a83e9ca436e80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5ff80867-6651-0916-10ce-6c5ce68edc7a}\npcap.cat

Filesize
9KB

MD5
149442be3ad60bad66727a94638f7dbb

SHA1
64045d15918b1b4b19affb9b9979f74b306f57aa

SHA256
2e32f2cc5d6718fdfc3f1c5960d884863a11cbd524f424b7776869c39154fb4b

SHA512
3378c92969e5f1fcd9bdf66a9db6e8faaa137ccf7fc949408650e067b8e4a8b4a9fcffaf0f4e2131ab1c0a7691a3c1b128a3a95aa4749e887b30ccca54bfb12d

Download Submit
C:\Windows\INF\oem2.inf

Filesize
8KB

MD5
cdb01d0a8b69a22b78cf37089c13d344

SHA1
fd911a8869f4e703da873918028a7bf300f63f64

SHA256
8fd04028332a7caa1e58cec1925d57f651eeed94ac8c4f96120535790acb9cf2

SHA512
06926d10f62eba5b91b684a39d17b13682da9fd84416b553ecf3eb819ea8eeecb3b934e99f239030e2280954178cda539f348ca59683a5ad98a83e9ca436e80f

Download Submit
C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_93536e242c20956d\npcap.PNF

Filesize
11KB

MD5
eb1efd48e2b7e17fa928c8a1679b410c

SHA1
4e744fc6c8c8c1b10148f2851ab891e6d66d917b

SHA256
1dc9f8936522bfe3bde3b04b36f588df59434b83cbee1ad42292991478b61987

SHA512
27fe7bad548f99e85e519108476c1be8b2ffb0d31601cf602be32666c7c51138939f0479687c9107ddeffd13e38222daee8a6a305d314a56b763eb527c30c19a

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
3070d8e69ac125558db4082d9040a98e

SHA1
1c1f94198a67b6afaa02eaeccc23bd49a117874f

SHA256
a24502f5eb66366cee9e707e63bcf966cb1a0f45e1c9bf57ecd1abe8352449ec

SHA512
1db77b8fdf99a5719ed52a0f72bbfddda5c20ca99ca54f9addf66af644cee3dbf0ce1b67907a1bf5a3ca78ef797deab78bb4f1089fa3426da60661f5d2f7f4ad

Download Submit
C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\NPCAP.inf

Filesize
8KB

MD5
cdb01d0a8b69a22b78cf37089c13d344

SHA1
fd911a8869f4e703da873918028a7bf300f63f64

SHA256
8fd04028332a7caa1e58cec1925d57f651eeed94ac8c4f96120535790acb9cf2

SHA512
06926d10f62eba5b91b684a39d17b13682da9fd84416b553ecf3eb819ea8eeecb3b934e99f239030e2280954178cda539f348ca59683a5ad98a83e9ca436e80f

Download Submit
C:\Windows\System32\DriverStore\Temp\{4dbbd702-c2c9-0edc-bcce-0c3b86cc496c}\npcap.cat

Filesize
9KB

MD5
149442be3ad60bad66727a94638f7dbb

SHA1
64045d15918b1b4b19affb9b9979f74b306f57aa

SHA256
2e32f2cc5d6718fdfc3f1c5960d884863a11cbd524f424b7776869c39154fb4b

SHA512
3378c92969e5f1fcd9bdf66a9db6e8faaa137ccf7fc949408650e067b8e4a8b4a9fcffaf0f4e2131ab1c0a7691a3c1b128a3a95aa4749e887b30ccca54bfb12d

Download Submit
\Program Files (x86)\Nmap\py2exe\bz2.pyd

Filesize
69KB

MD5
813c016e2898c6a2c1825b586de0ae61

SHA1
7113efcccb6ab047cdfdb65ba4241980c88196f4

SHA256
693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724

SHA512
dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad

Download Submit
\Program Files (x86)\Nmap\py2exe\glib._glib.pyd

Filesize
57KB

MD5
0de636503e43c4eb00e80927bc9bda97

SHA1
a332441ccc490fcfcaf913b657ec9ef5d1ceed08

SHA256
f820c17ae8327aac088cf0f98fef17ef34fce27dda19ad279abbbc1aaac0293c

SHA512
0e9da1a0c643689328e888bade660868b111ab9008c3586fc1595ae990a6763d426779bfee6dfb0451c11bda55f098d413f5eb5e3b163c3cf3bf5feadc26819c

Download Submit
\Program Files (x86)\Nmap\py2exe\intl.dll

Filesize
148KB

MD5
eb2d4c4d4a527bc88a69a16cc99afcf5

SHA1
b326ec4919e1ec9595c064b24853b1e6b71530a3

SHA256
682d4277092472cac940558f9e679b44a6394159e49c9bbda299e33bfc6fdc92

SHA512
009f31cd68a87a40aef4be07af805ab50fac03f4c621144b170d9d3313b1b6a73415f6dd878b048f85afc1b662659a88e4cc89e9a8c76f631f6f1b79d57fd0b0

Download Submit
\Program Files (x86)\Nmap\py2exe\libglib-2.0-0.dll

Filesize
1.2MB

MD5
18e88b04da123bf05b07ff60a4e96654

SHA1
f46cd8411e579da9f31749809a5707fecb28b7db

SHA256
c0f35b0e5f9b25f36bf9ef885a8135e7dcdb77d425f8ac88124d90cf2bf32fde

SHA512
735158b60194205c6262dae0689599babdc2bd0e10d0d6a71c1e1c56695caf432b207e439b5f84a3995c2d8aef3ab26706cf796848c0af0ddd340d388a76f1d4

Download Submit
\Program Files (x86)\Nmap\python27.dll

Filesize
2.5MB

MD5
77f43ca8468be239a76a12c2d640f1d9

SHA1
8a30bf4db3e95eecbdc694f501e9d670b76f5019

SHA256
a92dcb68cb58be8fbc695893ab8c9975a37b17f4cf21fc69cf802b48b2b5350e

SHA512
98791cd05b81e5a1daaddb3ddf0cdbb57f38fe4bab1397c2d825cf11d3fcdf4d8cc3a6d8f465cace72a04fea5e5c178e64738c48dc2871c56375a00d6f7dc94c

Download Submit
\Program Files (x86)\Nmap\zenmap.exe

Filesize
438KB

MD5
8c6382091dbb95c34e85ce139e9c014c

SHA1
f99b0938c3c9bdf15f05ab902ddd480641817d6b

SHA256
42d68b1d11b1c09ecbdf540d66ba41dc19260ad17f71a3e31c9da72ec1bd359a

SHA512
1034449c9f75510a5630e3d5dd53bba3ac98ff2b16dc074fe7e74dfed48469bd5891817ef2915964a64c56004ac5289f82506335d5cc3574849212bfe85df559

Download Submit
\Program Files (x86)\Nmap\zenmap.exe

Filesize
438KB

MD5
8c6382091dbb95c34e85ce139e9c014c

SHA1
f99b0938c3c9bdf15f05ab902ddd480641817d6b

SHA256
42d68b1d11b1c09ecbdf540d66ba41dc19260ad17f71a3e31c9da72ec1bd359a

SHA512
1034449c9f75510a5630e3d5dd53bba3ac98ff2b16dc074fe7e74dfed48469bd5891817ef2915964a64c56004ac5289f82506335d5cc3574849212bfe85df559

Download Submit
\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFB52.tmp\npcap-1.50.exe

Filesize
1.0MB

MD5
34681aaf9fcba7623c89d386390165ac

SHA1
6cbf981ffe95d9ba48cfec709eeca473b9775d01

SHA256
4af9538091ed309ebc57bc35897ccb053012b8a166c32bae0f62fbc4fbf11e89

SHA512
d5aafc7392fbe11a7561a32c85d6ab198ffa4680916db97faf4be1646f4293d63fa667b4eb558c32caf44dd01a40aed065b07b608d335829dd1834705305e9a2

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\InstallOptions.dll

Filesize
14KB

MD5
5f35212d7e90ee622b10be39b09bd270

SHA1
c4bc9593902adf6daaef37e456dc6100d50d0925

SHA256
31944b93e44301974d9c6f810d2da792e34a53dcacd619a08cb0385ac59e513d

SHA512
7514810367f56d994c6d5703b56ac16124fab5dfdcfbe337d4413274c1ff9037a2ee623e49ab2fb6227412ab29fcc49a3ada1391910d44c2b5de0adeb3e7c2f0

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\InstallOptions.dll

Filesize
14KB

MD5
5f35212d7e90ee622b10be39b09bd270

SHA1
c4bc9593902adf6daaef37e456dc6100d50d0925

SHA256
31944b93e44301974d9c6f810d2da792e34a53dcacd619a08cb0385ac59e513d

SHA512
7514810367f56d994c6d5703b56ac16124fab5dfdcfbe337d4413274c1ff9037a2ee623e49ab2fb6227412ab29fcc49a3ada1391910d44c2b5de0adeb3e7c2f0

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\NPFInstall.exe

Filesize
300KB

MD5
e329aedf93426e9a7e630c344f82e92d

SHA1
0f54253372de72fee1654938f40ecf496882822d

SHA256
616ba74e0c8cd7eddc72e74b630c2fdb22a3cc77c33ac974eea8e57dff8afdb8

SHA512
c1b39d8c93214aeafd182b2ae26a657ab2d3f225c497ec21d8fdf85dadb0ef0d28e14f64e567c5bdfc6d27d9dfce4ad9467a3d154f46e81a7ed87b2986db288e

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\SimpleSC.dll

Filesize
70KB

MD5
4a2b58bd7cab29463d9e53fcb9a252b6

SHA1
4679ba66db7989a64c41892bbb3f7cec38fb5597

SHA256
18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

SHA512
e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\SimpleSC.dll

Filesize
70KB

MD5
4a2b58bd7cab29463d9e53fcb9a252b6

SHA1
4679ba66db7989a64c41892bbb3f7cec38fb5597

SHA256
18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

SHA512
e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\SimpleSC.dll

Filesize
70KB

MD5
4a2b58bd7cab29463d9e53fcb9a252b6

SHA1
4679ba66db7989a64c41892bbb3f7cec38fb5597

SHA256
18b17999996d73fe911a8eb676c231cb0bf002174954b552f880bdabf4c78124

SHA512
e6a69b5bb52467e7b8168a3e0ad45252b196b8eaea87b91f8d3b150545ce6bc7ee586ebe1d83da6c04203a9a9bab5f4af66759ba35b73306f7962ca5b6ff2fff

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\nsExec.dll

Filesize
6KB

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\nsExec.dll

Filesize
6KB

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\nsExec.dll

Filesize
6KB

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\nsExec.dll

Filesize
6KB

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\nsExec.dll

Filesize
6KB

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
\Users\Admin\AppData\Local\Temp\nst2945.tmp\nsExec.dll

Filesize
6KB

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
memory/300-141-0x00000000022C0000-0x000000000267B000-memory.dmp

Filesize
3.7MB

Download
memory/300-139-0x00000000021A0000-0x00000000022B1000-memory.dmp

Filesize
1.1MB

Download
memory/300-143-0x0000000000260000-0x0000000000278000-memory.dmp

Filesize
96KB

Download
memory/1252-98-0x000007FEFB551000-0x000007FEFB553000-memory.dmp

Filesize
8KB

Download
memory/1468-54-0x0000000075371000-0x0000000075373000-memory.dmp

Filesize
8KB

Download
memory/1792-108-0x0000000001DA0000-0x0000000001DB3000-memory.dmp

Filesize
76KB

Download