hxxps://nmap[.]org/dist/nmap-7[.]93-setup[.]exe

Analysis

max time kernel
138s
max time network
138s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/12/2022, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://nmap.org/dist/nmap-7.93-setup.exe

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
33	304	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETA352.tmp	NPFInstall.exe
File created	C:\Windows\system32\DRIVERS\SETA352.tmp	NPFInstall.exe
File opened for modification	C:\Windows\system32\DRIVERS\npcap.sys	NPFInstall.exe

Executes dropped EXE 7 IoCs

pid	Process
1008	nmap-7.93-setup.exe
1408	npcap-1.71.exe
1360	NPFInstall.exe
1644	NPFInstall.exe
484	NPFInstall.exe
1688	NPFInstall.exe
1356	zenmap.exe

Loads dropped DLL 63 IoCs

pid	Process
1008	nmap-7.93-setup.exe
1008	nmap-7.93-setup.exe
1008	nmap-7.93-setup.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1696	Process not Found
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1988	Process not Found
1408	npcap-1.71.exe
1600	Process not Found
1408	npcap-1.71.exe
1888	Process not Found
1288	Process not Found
1288	Process not Found
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1008	nmap-7.93-setup.exe
1008	nmap-7.93-setup.exe
1008	nmap-7.93-setup.exe
1008	nmap-7.93-setup.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe
1356	zenmap.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.71.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\WlanHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\SysWOW64\WlanHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Packet.dll	npcap-1.71.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_5fbe69d0387e1c8c\NPCAP.PNF	DrvInst.exe
File created	C:\Windows\SysWOW64\Packet.dll	npcap-1.71.exe
File created	C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\SETF643.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_5fbe69d0387e1c8c\npcap.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	NPFInstall.exe
File created	C:\Windows\SysWOW64\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.71.exe
File created	C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\SETF642.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\npcap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\SETF643.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_5fbe69d0387e1c8c\npcap.PNF	DrvInst.exe
File created	C:\Windows\SysWOW64\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.71.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\SETF642.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\NPCAP.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\system32\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\system32\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\SETF644.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.71.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\SETF644.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	NPFInstall.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nmap\nselib\target.lua	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\lib\gtk-2.0\2.10.0\engines\libpixmap.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\amqp-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\port-states.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smtp-strangeport.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ssl-poodle.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\sslv2.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\intl.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-chrono.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-jsonp-detection.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-psexec.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\ncat.exe	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\cups-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-icloud-findmyiphone.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-vuln-cve2017-5638.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\netbus-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ventrilo-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\asn1.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\vhosts-full.lst	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\psexec\nmap_service.vcproj	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nmap-rpc	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-favicon.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\duplicates.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\svn-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\mysql-cis.audit	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\libgio-2.0-0.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-auth-finder.nse	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\lib\gtk-2.0\include\gdkconfig.h	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\resolveall.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-bigip-cookie.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\murmur-version.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ssh-publickey-acceptance.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\locale\it\LC_MESSAGES\zenmap.mo	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\etc\bash_completion.d\gdbus-bash-completion.sh	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\hostmap-crtsh.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\pgsql-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\_ssl.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-enum.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\vnc-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\dns-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\cairo._cairo.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\select.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\stun.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\dnsbl.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\geoip.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\ubuntu_32.png	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\pjl-ready-message.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-dlink-backdoor.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\supermicro-ipmi-conf.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\xdmcp.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-cakephp-version.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\giop.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\freetype6.dll	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\_ctypes.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-backup-finder.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\xmpp-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\natpmp.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\mgroupnames.db	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\freebsd_75.png	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-drupal-enum.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\path-mtu.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-protocols.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smtp-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\snmp-sysdescr.nse	nmap-7.93-setup.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	NPFInstall.exe
File created	C:\Windows\INF\oem0.PNF	pnputil.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	NPFInstall.exe
File created	C:\Windows\INF\oem1.PNF	pnputil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1624	SCHTASKS.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 607d5a16651cd901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "379179811"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4DF0F511-8858-11ED-8FA4-466E2F293893} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1828	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1360	NPFInstall.exe
1796	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1108	WMIC.exe
Token: SeSecurityPrivilege	1108	WMIC.exe
Token: SeTakeOwnershipPrivilege	1108	WMIC.exe
Token: SeLoadDriverPrivilege	1108	WMIC.exe
Token: SeSystemProfilePrivilege	1108	WMIC.exe
Token: SeSystemtimePrivilege	1108	WMIC.exe
Token: SeProfSingleProcessPrivilege	1108	WMIC.exe
Token: SeIncBasePriorityPrivilege	1108	WMIC.exe
Token: SeCreatePagefilePrivilege	1108	WMIC.exe
Token: SeBackupPrivilege	1108	WMIC.exe
Token: SeRestorePrivilege	1108	WMIC.exe
Token: SeShutdownPrivilege	1108	WMIC.exe
Token: SeDebugPrivilege	1108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1108	WMIC.exe
Token: SeRemoteShutdownPrivilege	1108	WMIC.exe
Token: SeUndockPrivilege	1108	WMIC.exe
Token: SeManageVolumePrivilege	1108	WMIC.exe
Token: 33	1108	WMIC.exe
Token: 34	1108	WMIC.exe
Token: 35	1108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1108	WMIC.exe
Token: SeSecurityPrivilege	1108	WMIC.exe
Token: SeTakeOwnershipPrivilege	1108	WMIC.exe
Token: SeLoadDriverPrivilege	1108	WMIC.exe
Token: SeSystemProfilePrivilege	1108	WMIC.exe
Token: SeSystemtimePrivilege	1108	WMIC.exe
Token: SeProfSingleProcessPrivilege	1108	WMIC.exe
Token: SeIncBasePriorityPrivilege	1108	WMIC.exe
Token: SeCreatePagefilePrivilege	1108	WMIC.exe
Token: SeBackupPrivilege	1108	WMIC.exe
Token: SeRestorePrivilege	1108	WMIC.exe
Token: SeShutdownPrivilege	1108	WMIC.exe
Token: SeDebugPrivilege	1108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1108	WMIC.exe
Token: SeRemoteShutdownPrivilege	1108	WMIC.exe
Token: SeUndockPrivilege	1108	WMIC.exe
Token: SeManageVolumePrivilege	1108	WMIC.exe
Token: 33	1108	WMIC.exe
Token: 34	1108	WMIC.exe
Token: 35	1108	WMIC.exe
Token: SeDebugPrivilege	1360	NPFInstall.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	1504	pnputil.exe
Token: SeRestorePrivilege	484	NPFInstall.exe
Token: SeRestorePrivilege	484	NPFInstall.exe
Token: SeRestorePrivilege	484	NPFInstall.exe
Token: SeRestorePrivilege	484	NPFInstall.exe
Token: SeRestorePrivilege	484	NPFInstall.exe
Token: SeRestorePrivilege	484	NPFInstall.exe
Token: SeRestorePrivilege	484	NPFInstall.exe
Token: SeRestorePrivilege	1688	NPFInstall.exe
Token: SeRestorePrivilege	1688	NPFInstall.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1936	iexplore.exe
1936	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1936	iexplore.exe
1936	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2024	1936	iexplore.exe	29
PID 1936 wrote to memory of 2024	1936	iexplore.exe	29
PID 1936 wrote to memory of 2024	1936	iexplore.exe	29
PID 1936 wrote to memory of 2024	1936	iexplore.exe	29
PID 1936 wrote to memory of 1008	1936	iexplore.exe	31
PID 1936 wrote to memory of 1008	1936	iexplore.exe	31
PID 1936 wrote to memory of 1008	1936	iexplore.exe	31
PID 1936 wrote to memory of 1008	1936	iexplore.exe	31
PID 1936 wrote to memory of 1008	1936	iexplore.exe	31
PID 1936 wrote to memory of 1008	1936	iexplore.exe	31
PID 1936 wrote to memory of 1008	1936	iexplore.exe	31
PID 1008 wrote to memory of 1408	1008	nmap-7.93-setup.exe	32
PID 1008 wrote to memory of 1408	1008	nmap-7.93-setup.exe	32
PID 1008 wrote to memory of 1408	1008	nmap-7.93-setup.exe	32
PID 1008 wrote to memory of 1408	1008	nmap-7.93-setup.exe	32
PID 1008 wrote to memory of 1408	1008	nmap-7.93-setup.exe	32
PID 1008 wrote to memory of 1408	1008	nmap-7.93-setup.exe	32
PID 1008 wrote to memory of 1408	1008	nmap-7.93-setup.exe	32
PID 1408 wrote to memory of 976	1408	npcap-1.71.exe	33
PID 1408 wrote to memory of 976	1408	npcap-1.71.exe	33
PID 1408 wrote to memory of 976	1408	npcap-1.71.exe	33
PID 1408 wrote to memory of 976	1408	npcap-1.71.exe	33
PID 976 wrote to memory of 1108	976	cmd.exe	35
PID 976 wrote to memory of 1108	976	cmd.exe	35
PID 976 wrote to memory of 1108	976	cmd.exe	35
PID 976 wrote to memory of 1108	976	cmd.exe	35
PID 976 wrote to memory of 1084	976	cmd.exe	36
PID 976 wrote to memory of 1084	976	cmd.exe	36
PID 976 wrote to memory of 1084	976	cmd.exe	36
PID 976 wrote to memory of 1084	976	cmd.exe	36
PID 1408 wrote to memory of 1360	1408	npcap-1.71.exe	38
PID 1408 wrote to memory of 1360	1408	npcap-1.71.exe	38
PID 1408 wrote to memory of 1360	1408	npcap-1.71.exe	38
PID 1408 wrote to memory of 1360	1408	npcap-1.71.exe	38
PID 1408 wrote to memory of 1640	1408	npcap-1.71.exe	40
PID 1408 wrote to memory of 1640	1408	npcap-1.71.exe	40
PID 1408 wrote to memory of 1640	1408	npcap-1.71.exe	40
PID 1408 wrote to memory of 1640	1408	npcap-1.71.exe	40
PID 1408 wrote to memory of 1972	1408	npcap-1.71.exe	42
PID 1408 wrote to memory of 1972	1408	npcap-1.71.exe	42
PID 1408 wrote to memory of 1972	1408	npcap-1.71.exe	42
PID 1408 wrote to memory of 1972	1408	npcap-1.71.exe	42
PID 1408 wrote to memory of 1644	1408	npcap-1.71.exe	44
PID 1408 wrote to memory of 1644	1408	npcap-1.71.exe	44
PID 1408 wrote to memory of 1644	1408	npcap-1.71.exe	44
PID 1408 wrote to memory of 1644	1408	npcap-1.71.exe	44
PID 1644 wrote to memory of 1504	1644	NPFInstall.exe	46
PID 1644 wrote to memory of 1504	1644	NPFInstall.exe	46
PID 1644 wrote to memory of 1504	1644	NPFInstall.exe	46
PID 1408 wrote to memory of 484	1408	npcap-1.71.exe	48
PID 1408 wrote to memory of 484	1408	npcap-1.71.exe	48
PID 1408 wrote to memory of 484	1408	npcap-1.71.exe	48
PID 1408 wrote to memory of 484	1408	npcap-1.71.exe	48
PID 1408 wrote to memory of 1688	1408	npcap-1.71.exe	50
PID 1408 wrote to memory of 1688	1408	npcap-1.71.exe	50
PID 1408 wrote to memory of 1688	1408	npcap-1.71.exe	50
PID 1408 wrote to memory of 1688	1408	npcap-1.71.exe	50
PID 1320 wrote to memory of 304	1320	DrvInst.exe	53
PID 1320 wrote to memory of 304	1320	DrvInst.exe	53
PID 1320 wrote to memory of 304	1320	DrvInst.exe	53
PID 1408 wrote to memory of 1796	1408	npcap-1.71.exe	57
PID 1408 wrote to memory of 1796	1408	npcap-1.71.exe	57
PID 1408 wrote to memory of 1796	1408	npcap-1.71.exe	57
PID 1408 wrote to memory of 1796	1408	npcap-1.71.exe	57

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://nmap.org/dist/nmap-7.93-setup.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2024
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\nmap-7.93-setup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\nmap-7.93-setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\nsd6CD9.tmp\npcap-1.71.exe
    "C:\Users\Admin\AppData\Local\Temp\nsd6CD9.tmp\npcap-1.71.exe" /loopback_support=no
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /Q /C "%SYSTEMROOT%\System32\wbem\wmic.exe qfe get hotfixid | %SYSTEMROOT%\System32\findstr.exe "^KB4474419""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Windows\SysWOW64\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\wmic.exe qfe get hotfixid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
    - - C:\Windows\SysWOW64\findstr.exe
        
        C:\Windows\System32\findstr.exe "^KB4474419"
        5⤵
        
        PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\NPFInstall.exe
      "C:\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\NPFInstall.exe" -n -check_dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1360
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\roots.p7b"
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\signing.p7b"
      4⤵
      PID:1972
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -c
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Windows\system32\pnputil.exe
        
        pnputil.exe -e
        5⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:484
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -i
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1796
  - - C:\Windows\SysWOW64\SCHTASKS.EXE
      SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'C:\Program Files\Npcap\CheckStatus.bat'" /NP
      4⤵
      Creates scheduled task(s)
      PID:1624
- - C:\Windows\SysWOW64\regedt32.exe
    regedt32 /S "C:\Users\Admin\AppData\Local\Temp\nsd6CD9.tmp\nmap_performance.reg"
    3⤵
    PID:1724
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\nsd6CD9.tmp\nmap_performance.reg"
      4⤵
      Runs .reg file with regedit
      PID:1828

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0f16d515-d5b3-22b4-1837-70519090c276}\NPCAP.inf" "9" "605306be3" "0000000000000514" "WinSta0\Default" "00000000000005A0" "208" "C:\Program Files\Npcap"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{6014c489-d70a-38ff-89c4-1460c061a863} Global\{30f7351a-3fac-7766-7c68-cc7c7e88ba6d} C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\NPCAP.inf C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\npcap.cat
  2⤵
  - Blocklisted process makes network request
  PID:304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1988

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A0" "00000000000005C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2000

C:\Program Files (x86)\Nmap\zenmap.exe
"C:\Program Files (x86)\Nmap\zenmap.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Npcap\npcap.sys

Filesize
65KB

MD5
61613f1bef848e6c08bfce931753dedc

SHA1
c902177d2ed221019ea728443ef32bfff8688d3a

SHA256
81142d0f58c32f54d54b2f3fe725a5e09b5b9b81e72704aea2ecfae15a2a9085

SHA512
358567c89e16f9e9e29d27710f46b700075dda5ecfea5f42a4c5d00c3ce3d82a69dcb3301635bd6b0f1af91c232c1b8395431cf8141061a7e8c0a4f964b7e33d

Download Submit
C:\Program Files\Npcap\NPCAP.inf

Filesize
8KB

MD5
974e3b4529ff617b0d1a3383a9f7ac74

SHA1
a7993a1758e402ca1d5529c9392f98799054f860

SHA256
aace2ab10f7849737298900e5e8fdf3f980ed311bdc8d1ac7c7006688104aab3

SHA512
7f98f2a15ddadcaf390f4876d7c849744509961866de34b04336edf192466272af3d9417fee09c1e32c5f1e9fd7b8350e93970169191cbf1eb27db1d73db16f5

Download Submit
C:\Program Files\Npcap\NPCAP_wfp.inf

Filesize
2KB

MD5
a5971e56a78ee221cd0c05c1940cc360

SHA1
92e184e154af9d3a61d7c66d90922e1064bd0895

SHA256
f0bd3192542df8e0c774c9ffcbbd8a0a92d9d2a250bec7c976b402ea900bb222

SHA512
687f4621fb931bed5061983bca394e0ea3d62bcfedaccfc08dbf83c30e1e25edf011b9e3cd24859ba0493ee595b5e1fc1e762337546a7939ef56dc4c9bdc2e93

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
636c188146c3279cbf4a33d8b9320552

SHA1
755274935951934cb82e7abf5919d9572cc3fc79

SHA256
e694fdfa21ab3c8422c6b8ed935f4b9b21053dcf41268736dae21cfcfaf87304

SHA512
8ec300e02e83021ed1370214317626c0566e6d207fb8682c399138537236c9b5e1811356807745662bcf330473fdf25cbcdcff793e77d9c690657bcd3c948304

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
1KB

MD5
214ba2e3803625ac360fc6539f17abe6

SHA1
2bbb4bdca47fb31de6649e666b0e8fd9255b7dd3

SHA256
e8fb55888846eb721a67d712f4d6ccee653618e776d96ab2a34b082208d1032f

SHA512
23037eb342979915de6b1f09759a1ca70e04258e55710a29b8903a8103e24cfffea56caee5ccce62d9b9d013eafc83224f0a8e909b06f22a0cf2251ae57f3ba0

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
e6f71f1d526c582c9c503486c40a9d1a

SHA1
a81e40ec700fc173d094449da7d375a2476afe3a

SHA256
d2a6cf3a893d1dee03be252db7186fc82f59a3e2708524ba3edad6ca0bac470e

SHA512
87cc0606d03afeb520a055e3c5d65f3fab3a81ac14a4150328a7a6aecc204a730c91adba222ffee51bb1f1bdfb71517e5414f2deb2824770f826568d141a892b

Download Submit
C:\Program Files\Npcap\npcap.cat

Filesize
12KB

MD5
476aefd0a4901004fb2bc4ad796910b9

SHA1
a3b4bb1c474aaca684bbfc5f686bfe8060422a6d

SHA256
a2baec34bbcbf3f655c7d6d91ad117d0aae555a2f55c0187d487b6c21c0785a2

SHA512
b93da1583b224faa3209f4083322bbc5b1b9239dd25b389bdb13406c43c66dff82ab2539dc48272908f799ff01536438f12f848af35a9092d5e84493dafeb49f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
a23e35c99c4190106a1f3def6070de0b

SHA1
3e736640a2cf114e7b63bd8a437bcfe1bb5ee384

SHA256
4e622226ed66161b746405dcf4c699c81ca8947d5b07f8f25dc7951028d97e6f

SHA512
383a263bbe15adcc02b7a57689da30f643e77b74aa509f4ecf6de8e12f0fb619ff5eff842bcdb0b7e2c01c06ebe324d5784a037265a1dd7787c3e6726ef32fb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FA234383376BC394CB9295300933C29D

Filesize
471B

MD5
562ca9b0ab539ac492528533c8921412

SHA1
ae041634812a10fc9b30756b761ddecfe813c5c6

SHA256
96ff30f6e230706f8229955d840013dfe5cc78de96434462af5345c7182e160f

SHA512
2df56ed3fc95a6e9d8ee6209930e01298942734a5ca1af243895b1ea84bd13401738c7a794041878ed47b41f0a7f255aba2a971a81d765a10b30188205f72902

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
b5f83d835d442f6418e8075ec8875664

SHA1
2c2faf1116de15a2ff11994cb7b64d6a24b10d65

SHA256
ae3297baf14c8dc15f0e35d5b2b681722b5b0803967d7698b65319e1f6489963

SHA512
51658d17530ffff9167a0b3cf7576340e4f75c8a2a3af7e791f6055916b1ef99c84cc50cf2fae969fce0d5a5d58d26f06385449ae9005ac1990d9771b73cf81b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5145e51cd66cc45e2462c1473205ed15

SHA1
ba824981a0b03a1de63d1613fec8bfb4bec93d6f

SHA256
89ba25d3ab91bb90507739095ff776bc28ca90ea010ecc889253071f39b4d242

SHA512
9b8d4a47c386c7371bbd96958610d50f0b383a68176a2ab5694383194f2cd544ba71dec7744f85bd026aac894fdd1e10f7bc2d67ff5e4179bef78b427079aa93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2aa3260119ae4ae6fce28e4c61a8750

SHA1
944f9da5973bf782570924cea93ea8e2f4da68dd

SHA256
4d0752a1df49dd3f84a4f9b90333c580469af1edb598073e0c073886b75cbd87

SHA512
c58117543ff029c62fa46af0cd26c5e2762d47db3a7f473608106da9a29d3807c63ea711176fc0bc6425e167e28eca11cb659e08428e3962957d590d6b6dc4b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FA234383376BC394CB9295300933C29D

Filesize
438B

MD5
1a5f8edc87144ac11d69647269b1a825

SHA1
28592b5139aafb2eb0c2dd39f0f13a080d873996

SHA256
2dd5978fef5421b53b7d82e289b4772e7a59bdd6be6de7c5ee31faea2ecaeee7

SHA512
a2ccd6931c8a90ecf8d84d417ef65082770784fc5f5cba14b3ce37d2c0bfc4405ee3d35c64b9b5990deb7f0aed5a114116f94d93f4b64918c3bc66bdee739980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3dd02cb8f2aba591ab9195c328ef433b

SHA1
073950b3343debc3f7ab4363401a45fdc77461a9

SHA256
81dc9c2fe0711a97eaff19fd311524366d6e9e412a6343a112720ff08fcc9fd9

SHA512
d0525fe444f79259a654c3973b07df2f78566b186fc14a44ac1b6e564feff6b165f3c2b2fd84b19a94ec707f3fa4f8e002e9af3e7c52c1d8028da02cefb530ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\nmap-7.93-setup.exe

Filesize
27.8MB

MD5
f9e753cccea0ffae6871dc65f67d3f89

SHA1
ab2de49f90330cc3b305457a9a0f897f296e95f4

SHA256
f1160a33fb79c764cdc4c023fa700054ae2945ed91880e37348a17c010ca716f

SHA512
0c6f6c14ecf8ef028e6a556f58e720321a7808b0a1f602e019f6b21d9cef970424185c27e7647368d2fca256d47844310d76d626209d406a961d048063410d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\nmap-7.93-setup.exe.y1m93iu.partial

Filesize
27.8MB

MD5
f9e753cccea0ffae6871dc65f67d3f89

SHA1
ab2de49f90330cc3b305457a9a0f897f296e95f4

SHA256
f1160a33fb79c764cdc4c023fa700054ae2945ed91880e37348a17c010ca716f

SHA512
0c6f6c14ecf8ef028e6a556f58e720321a7808b0a1f602e019f6b21d9cef970424185c27e7647368d2fca256d47844310d76d626209d406a961d048063410d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd6CD9.tmp\nmap_performance.reg

Filesize
192B

MD5
3cd4a36a0dcc9e0e79d1df1d6cc712df

SHA1
a9b6fe5c0e01aec042e68c2bc700a721c4ecc995

SHA256
e77d7b5158ec99d19e552025facf50f477a2f2b1dc3ef2f198520cfa76e9707f

SHA512
d3d5ab7cc0943dd7ae85445449249109eeb5f871e1c7baf3139cd9e2d3858f70040102dc30b089fc99ee82ebbf99335c2323b1d070552cf7e565a1ac70ef2487

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd6CD9.tmp\npcap-1.71.exe

Filesize
1.1MB

MD5
40cfea6d5a3ff15caf6dd4ae88a012b2

SHA1
287b229cecf54ea110a8b8422dcda20922bdf65e

SHA256
5ccb61296c48e3f8cd20db738784bd7bf0daf8fce630f89892678b6dda4e533c

SHA512
6ac4955286a4927ce43f7e85783631c9a801605c89a18ba95dde34d90eecbf4825b09e116890c8aca8defff767ad14843303dd557a67636bed1f1709b5399024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd6CD9.tmp\npcap-1.71.exe

Filesize
1.1MB

MD5
40cfea6d5a3ff15caf6dd4ae88a012b2

SHA1
287b229cecf54ea110a8b8422dcda20922bdf65e

SHA256
5ccb61296c48e3f8cd20db738784bd7bf0daf8fce630f89892678b6dda4e533c

SHA512
6ac4955286a4927ce43f7e85783631c9a801605c89a18ba95dde34d90eecbf4825b09e116890c8aca8defff767ad14843303dd557a67636bed1f1709b5399024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\roots.p7b

Filesize
1KB

MD5
397a5848d3696fc6ba0823088fea83db

SHA1
9189985f027de80d4882ab5e01604c59d6fc1f16

SHA256
ad3bca6f2b0ec032c7f1fe1adb186bd73be6a332c868bf16c9765087fff1c1ca

SHA512
66129a206990753967cd98c14a0a3e0e2a73bc4cd10cf84a5a05da7bf20719376989d64c6c7880a3e4754fc74653dd49f2ffeffd55fc4ee5966f65beb857118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\signing.p7b

Filesize
7KB

MD5
dd4bc901ef817319791337fb345932e8

SHA1
f8a3454a09d90a09273935020c1418fdb7b7eb7c

SHA256
8e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71

SHA512
0a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0F16D~1\npcap.sys

Filesize
65KB

MD5
61613f1bef848e6c08bfce931753dedc

SHA1
c902177d2ed221019ea728443ef32bfff8688d3a

SHA256
81142d0f58c32f54d54b2f3fe725a5e09b5b9b81e72704aea2ecfae15a2a9085

SHA512
358567c89e16f9e9e29d27710f46b700075dda5ecfea5f42a4c5d00c3ce3d82a69dcb3301635bd6b0f1af91c232c1b8395431cf8141061a7e8c0a4f964b7e33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0f16d515-d5b3-22b4-1837-70519090c276}\NPCAP.inf

Filesize
8KB

MD5
974e3b4529ff617b0d1a3383a9f7ac74

SHA1
a7993a1758e402ca1d5529c9392f98799054f860

SHA256
aace2ab10f7849737298900e5e8fdf3f980ed311bdc8d1ac7c7006688104aab3

SHA512
7f98f2a15ddadcaf390f4876d7c849744509961866de34b04336edf192466272af3d9417fee09c1e32c5f1e9fd7b8350e93970169191cbf1eb27db1d73db16f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0f16d515-d5b3-22b4-1837-70519090c276}\npcap.cat

Filesize
12KB

MD5
476aefd0a4901004fb2bc4ad796910b9

SHA1
a3b4bb1c474aaca684bbfc5f686bfe8060422a6d

SHA256
a2baec34bbcbf3f655c7d6d91ad117d0aae555a2f55c0187d487b6c21c0785a2

SHA512
b93da1583b224faa3209f4083322bbc5b1b9239dd25b389bdb13406c43c66dff82ab2539dc48272908f799ff01536438f12f848af35a9092d5e84493dafeb49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P5979GXT.txt

Filesize
603B

MD5
c22283b2fc6c78d63cbfc98c363f511f

SHA1
cb9fadfbad83941c470fd2b0456b101466b658eb

SHA256
e75d27fe2321ae733a908c0d55aa4ff6688b73e52146ec354a94a132fe80a11c

SHA512
f7704e9871dccf360de9624e57c82e472fbe165ae79acabfe18de1b19762745d3d6e553ae6ec6437c2249b9ea0eac326bd11b2a5a6a8cfeba65436e7fe4a7721

Download Submit
C:\Windows\INF\oem2.inf

Filesize
8KB

MD5
974e3b4529ff617b0d1a3383a9f7ac74

SHA1
a7993a1758e402ca1d5529c9392f98799054f860

SHA256
aace2ab10f7849737298900e5e8fdf3f980ed311bdc8d1ac7c7006688104aab3

SHA512
7f98f2a15ddadcaf390f4876d7c849744509961866de34b04336edf192466272af3d9417fee09c1e32c5f1e9fd7b8350e93970169191cbf1eb27db1d73db16f5

Download Submit
C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_neutral_5fbe69d0387e1c8c\npcap.PNF

Filesize
11KB

MD5
f23c6d28748f83198298ada6200d8594

SHA1
e3d0c1f493083357bec485e34c3730d6ce8b91a9

SHA256
5d88327af5367d963ab9ea0c9ded239afef5fa7fb24734edc296defa510f4fa8

SHA512
f56c3a110b1e13398f6ecf72bf1f8d8495769731b3078be5957d4c761a75658fd61536cb40c6558b544d357490aa013d6ea9aa7cd1b4c44e7cea96485d5d097f

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
36ac28752a6520db19fc001e27223b53

SHA1
6f6651bb18a55b1943f0c66c96aa7cca67716295

SHA256
6d4a928ac9d466ccea6f59eb941df2c95c80e6242663e1492b8c026e18bbc5e9

SHA512
1fa14a23c07637f6763d4ad91757cdb89a93ff8d157c92d07259a48aa42785e0c7be250d7252a7fa5dbab6004d6a15804da0ad365ae74d1281b9dcf61b0e2b3c

Download Submit
C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\NPCAP.inf

Filesize
8KB

MD5
974e3b4529ff617b0d1a3383a9f7ac74

SHA1
a7993a1758e402ca1d5529c9392f98799054f860

SHA256
aace2ab10f7849737298900e5e8fdf3f980ed311bdc8d1ac7c7006688104aab3

SHA512
7f98f2a15ddadcaf390f4876d7c849744509961866de34b04336edf192466272af3d9417fee09c1e32c5f1e9fd7b8350e93970169191cbf1eb27db1d73db16f5

Download Submit
C:\Windows\System32\DriverStore\Temp\{245c94ac-d009-2d2c-5a2b-340438479609}\npcap.cat

Filesize
12KB

MD5
476aefd0a4901004fb2bc4ad796910b9

SHA1
a3b4bb1c474aaca684bbfc5f686bfe8060422a6d

SHA256
a2baec34bbcbf3f655c7d6d91ad117d0aae555a2f55c0187d487b6c21c0785a2

SHA512
b93da1583b224faa3209f4083322bbc5b1b9239dd25b389bdb13406c43c66dff82ab2539dc48272908f799ff01536438f12f848af35a9092d5e84493dafeb49f

Download Submit
\Program Files (x86)\Nmap\zenmap.exe

Filesize
441KB

MD5
9096cca0244a3f6860e31c32b01830c2

SHA1
f338101391120cb91d7892b9c4f6375557150a43

SHA256
080f3c25e76808357208530dbd45d4bd6b72377e479e4e3d1e68e77d36dd2646

SHA512
298f60583f0dc80a51ebcb70afdeacd6a38cc20b8e438b8fcfe0e7de963be3a66f3d6339b7881d338a2b5cc90b88d30a3d1692f12e7f9a5127604b0f612ed2b5

Download Submit
\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6CD9.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6CD9.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6CD9.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6CD9.tmp\npcap-1.71.exe

Filesize
1.1MB

MD5
40cfea6d5a3ff15caf6dd4ae88a012b2

SHA1
287b229cecf54ea110a8b8422dcda20922bdf65e

SHA256
5ccb61296c48e3f8cd20db738784bd7bf0daf8fce630f89892678b6dda4e533c

SHA512
6ac4955286a4927ce43f7e85783631c9a801605c89a18ba95dde34d90eecbf4825b09e116890c8aca8defff767ad14843303dd557a67636bed1f1709b5399024

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\System.dll

Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAB30.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
memory/304-114-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

Filesize
8KB

Download
memory/1008-59-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1356-150-0x0000000000260000-0x0000000000278000-memory.dmp

Filesize
96KB

Download
memory/1356-146-0x0000000002200000-0x0000000002311000-memory.dmp

Filesize
1.1MB

Download
memory/1356-148-0x0000000002320000-0x00000000026DB000-memory.dmp

Filesize
3.7MB

Download
memory/1796-134-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download
memory/1796-133-0x0000000073C70000-0x000000007421B000-memory.dmp

Filesize
5.7MB

Download