f1160a33fb79c764cdc4c023fa700054ae2945ed91880e37348a17c010ca716f

Analysis

max time kernel
162s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-01-2023 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nmap-7.93-setup.exe
Size

27.8MB
MD5

f9e753cccea0ffae6871dc65f67d3f89
SHA1

ab2de49f90330cc3b305457a9a0f897f296e95f4
SHA256

f1160a33fb79c764cdc4c023fa700054ae2945ed91880e37348a17c010ca716f
SHA512

0c6f6c14ecf8ef028e6a556f58e720321a7808b0a1f602e019f6b21d9cef970424185c27e7647368d2fca256d47844310d76d626209d406a961d048063410d1d
SSDEEP

786432:eCw4jIIk4AN6o6JWCRCLz4NFMqt9+26UgRY5YYnDEWW:e/T4hJZRCgMkg+5HEv

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET5F6F.tmp	NPFInstall.exe
File created	C:\Windows\system32\DRIVERS\SET5F6F.tmp	NPFInstall.exe
File opened for modification	C:\Windows\system32\DRIVERS\npcap.sys	NPFInstall.exe

Executes dropped EXE 5 IoCs

pid	Process
1408	npcap-1.71.exe
784	NPFInstall.exe
1960	NPFInstall.exe
1548	NPFInstall.exe
1040	NPFInstall.exe

Loads dropped DLL 29 IoCs

pid	Process
1112	nmap-7.93-setup.exe
1112	nmap-7.93-setup.exe
1112	nmap-7.93-setup.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
612	Process not Found
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
808	Process not Found
1408	npcap-1.71.exe
1468	Process not Found
1408	npcap-1.71.exe
308	Process not Found
1256	Process not Found
1256	Process not Found
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1408	npcap-1.71.exe
1112	nmap-7.93-setup.exe
1112	nmap-7.93-setup.exe
1112	nmap-7.93-setup.exe
1112	nmap-7.93-setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\system32\Packet.dll	npcap-1.71.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	NPFInstall.exe
File created	C:\Windows\system32\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.71.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	NPFInstall.exe
File created	C:\Windows\SysWOW64\Packet.dll	npcap-1.71.exe
File created	C:\Windows\SysWOW64\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.71.exe
File created	C:\Windows\system32\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.71.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	NPFInstall.exe
File created	C:\Windows\SysWOW64\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\SysWOW64\WlanHelper.exe	npcap-1.71.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\WlanHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.71.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\select.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ftp-libopie.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\url-snarf.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\versant-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\ospf.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-sybase-asa-discover.nse	nmap-7.93-setup.exe
File created	C:\Program Files\Npcap\FixInstall.bat	npcap-1.71.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\vl_1_75.png	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-apache-server-status.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\telnet-ntlm-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\isns.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\smb2.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\traceroute-geolocation.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\rtsp.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\vl_2_32.png	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\libcroco-0.6-3.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\bjnp-discover.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\citrix-enum-apps.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-svn-enum.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\membase-http-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libexpat-1.dll	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\libgailutil-18.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\dns-fuzz.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\rexec-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\stuxnet-detect.nse	nmap-7.93-setup.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files (x86)\Nmap\scripts\fcrdns.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\locale\pl\LC_MESSAGES\zenmap.mo	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\libgobject-2.0-0.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\eppc-enum-processes.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\bittorrent.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\locale\zh\LC_MESSAGES\zenmap.mo	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\share\themes\MS-Windows\gtk-2.0\gtkrc	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\dicom-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ms-sql-dac.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\bitcoin.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\cassandra-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-pppoe-discover.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-enum.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\ipOps.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\_socket.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\bz2.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\licenses\PCRE-license.txt	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\dns-nsid.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\nje-node-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\snmp-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\mysql-query.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\riak-http-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libpangoft2-1.0-0.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\licenses\Lua-license.txt	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-bjnp-discover.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-security-headers.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\gtk._gtk.pyd	nmap-7.93-setup.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files (x86)\Nmap\py2exe\atk.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libgobject-2.0-0.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-jsonp-detection.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\ZENMAP_README	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\etc\pango\pango.modules	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\Uninstall.exe	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\backorifice-info.nse	nmap-7.93-setup.exe
File opened for modification	C:\Program Files\Npcap\install.log	npcap-1.71.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\ubuntu_75.png	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\dns-srv-enum.nse	nmap-7.93-setup.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	NPFInstall.exe
File created	C:\Windows\INF\oem2.PNF	NPFInstall.exe
File created	C:\Windows\INF\oem0.PNF	pnputil.exe
File created	C:\Windows\INF\oem1.PNF	pnputil.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1612	SCHTASKS.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Runs .reg file with regedit 1 IoCs

pid	Process
544	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
784	NPFInstall.exe
1996	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	960	WMIC.exe
Token: SeSecurityPrivilege	960	WMIC.exe
Token: SeTakeOwnershipPrivilege	960	WMIC.exe
Token: SeLoadDriverPrivilege	960	WMIC.exe
Token: SeSystemProfilePrivilege	960	WMIC.exe
Token: SeSystemtimePrivilege	960	WMIC.exe
Token: SeProfSingleProcessPrivilege	960	WMIC.exe
Token: SeIncBasePriorityPrivilege	960	WMIC.exe
Token: SeCreatePagefilePrivilege	960	WMIC.exe
Token: SeBackupPrivilege	960	WMIC.exe
Token: SeRestorePrivilege	960	WMIC.exe
Token: SeShutdownPrivilege	960	WMIC.exe
Token: SeDebugPrivilege	960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	960	WMIC.exe
Token: SeRemoteShutdownPrivilege	960	WMIC.exe
Token: SeUndockPrivilege	960	WMIC.exe
Token: SeManageVolumePrivilege	960	WMIC.exe
Token: 33	960	WMIC.exe
Token: 34	960	WMIC.exe
Token: 35	960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	960	WMIC.exe
Token: SeSecurityPrivilege	960	WMIC.exe
Token: SeTakeOwnershipPrivilege	960	WMIC.exe
Token: SeLoadDriverPrivilege	960	WMIC.exe
Token: SeSystemProfilePrivilege	960	WMIC.exe
Token: SeSystemtimePrivilege	960	WMIC.exe
Token: SeProfSingleProcessPrivilege	960	WMIC.exe
Token: SeIncBasePriorityPrivilege	960	WMIC.exe
Token: SeCreatePagefilePrivilege	960	WMIC.exe
Token: SeBackupPrivilege	960	WMIC.exe
Token: SeRestorePrivilege	960	WMIC.exe
Token: SeShutdownPrivilege	960	WMIC.exe
Token: SeDebugPrivilege	960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	960	WMIC.exe
Token: SeRemoteShutdownPrivilege	960	WMIC.exe
Token: SeUndockPrivilege	960	WMIC.exe
Token: SeManageVolumePrivilege	960	WMIC.exe
Token: 33	960	WMIC.exe
Token: 34	960	WMIC.exe
Token: 35	960	WMIC.exe
Token: SeDebugPrivilege	784	NPFInstall.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1648	pnputil.exe
Token: SeRestorePrivilege	1548	NPFInstall.exe
Token: SeRestorePrivilege	1548	NPFInstall.exe
Token: SeRestorePrivilege	1548	NPFInstall.exe
Token: SeRestorePrivilege	1548	NPFInstall.exe
Token: SeRestorePrivilege	1548	NPFInstall.exe
Token: SeRestorePrivilege	1548	NPFInstall.exe
Token: SeRestorePrivilege	1548	NPFInstall.exe
Token: SeRestorePrivilege	1040	NPFInstall.exe
Token: SeRestorePrivilege	1040	NPFInstall.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1408	1112	nmap-7.93-setup.exe	27
PID 1112 wrote to memory of 1408	1112	nmap-7.93-setup.exe	27
PID 1112 wrote to memory of 1408	1112	nmap-7.93-setup.exe	27
PID 1112 wrote to memory of 1408	1112	nmap-7.93-setup.exe	27
PID 1112 wrote to memory of 1408	1112	nmap-7.93-setup.exe	27
PID 1112 wrote to memory of 1408	1112	nmap-7.93-setup.exe	27
PID 1112 wrote to memory of 1408	1112	nmap-7.93-setup.exe	27
PID 1408 wrote to memory of 2024	1408	npcap-1.71.exe	28
PID 1408 wrote to memory of 2024	1408	npcap-1.71.exe	28
PID 1408 wrote to memory of 2024	1408	npcap-1.71.exe	28
PID 1408 wrote to memory of 2024	1408	npcap-1.71.exe	28
PID 2024 wrote to memory of 960	2024	cmd.exe	30
PID 2024 wrote to memory of 960	2024	cmd.exe	30
PID 2024 wrote to memory of 960	2024	cmd.exe	30
PID 2024 wrote to memory of 960	2024	cmd.exe	30
PID 2024 wrote to memory of 1724	2024	cmd.exe	31
PID 2024 wrote to memory of 1724	2024	cmd.exe	31
PID 2024 wrote to memory of 1724	2024	cmd.exe	31
PID 2024 wrote to memory of 1724	2024	cmd.exe	31
PID 1408 wrote to memory of 784	1408	npcap-1.71.exe	33
PID 1408 wrote to memory of 784	1408	npcap-1.71.exe	33
PID 1408 wrote to memory of 784	1408	npcap-1.71.exe	33
PID 1408 wrote to memory of 784	1408	npcap-1.71.exe	33
PID 1408 wrote to memory of 1840	1408	npcap-1.71.exe	35
PID 1408 wrote to memory of 1840	1408	npcap-1.71.exe	35
PID 1408 wrote to memory of 1840	1408	npcap-1.71.exe	35
PID 1408 wrote to memory of 1840	1408	npcap-1.71.exe	35
PID 1408 wrote to memory of 1936	1408	npcap-1.71.exe	37
PID 1408 wrote to memory of 1936	1408	npcap-1.71.exe	37
PID 1408 wrote to memory of 1936	1408	npcap-1.71.exe	37
PID 1408 wrote to memory of 1936	1408	npcap-1.71.exe	37
PID 1408 wrote to memory of 1960	1408	npcap-1.71.exe	39
PID 1408 wrote to memory of 1960	1408	npcap-1.71.exe	39
PID 1408 wrote to memory of 1960	1408	npcap-1.71.exe	39
PID 1408 wrote to memory of 1960	1408	npcap-1.71.exe	39
PID 1960 wrote to memory of 1648	1960	NPFInstall.exe	41
PID 1960 wrote to memory of 1648	1960	NPFInstall.exe	41
PID 1960 wrote to memory of 1648	1960	NPFInstall.exe	41
PID 1408 wrote to memory of 1548	1408	npcap-1.71.exe	43
PID 1408 wrote to memory of 1548	1408	npcap-1.71.exe	43
PID 1408 wrote to memory of 1548	1408	npcap-1.71.exe	43
PID 1408 wrote to memory of 1548	1408	npcap-1.71.exe	43
PID 1408 wrote to memory of 1040	1408	npcap-1.71.exe	45
PID 1408 wrote to memory of 1040	1408	npcap-1.71.exe	45
PID 1408 wrote to memory of 1040	1408	npcap-1.71.exe	45
PID 1408 wrote to memory of 1040	1408	npcap-1.71.exe	45
PID 1408 wrote to memory of 1996	1408	npcap-1.71.exe	52
PID 1408 wrote to memory of 1996	1408	npcap-1.71.exe	52
PID 1408 wrote to memory of 1996	1408	npcap-1.71.exe	52
PID 1408 wrote to memory of 1996	1408	npcap-1.71.exe	52
PID 1408 wrote to memory of 1612	1408	npcap-1.71.exe	54
PID 1408 wrote to memory of 1612	1408	npcap-1.71.exe	54
PID 1408 wrote to memory of 1612	1408	npcap-1.71.exe	54
PID 1408 wrote to memory of 1612	1408	npcap-1.71.exe	54
PID 1112 wrote to memory of 2016	1112	nmap-7.93-setup.exe	56
PID 1112 wrote to memory of 2016	1112	nmap-7.93-setup.exe	56
PID 1112 wrote to memory of 2016	1112	nmap-7.93-setup.exe	56
PID 1112 wrote to memory of 2016	1112	nmap-7.93-setup.exe	56
PID 2016 wrote to memory of 544	2016	regedt32.exe	57
PID 2016 wrote to memory of 544	2016	regedt32.exe	57
PID 2016 wrote to memory of 544	2016	regedt32.exe	57
PID 2016 wrote to memory of 544	2016	regedt32.exe	57

C:\Users\Admin\AppData\Local\Temp\nmap-7.93-setup.exe
"C:\Users\Admin\AppData\Local\Temp\nmap-7.93-setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\nso172C.tmp\npcap-1.71.exe
  "C:\Users\Admin\AppData\Local\Temp\nso172C.tmp\npcap-1.71.exe" /loopback_support=no
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /Q /C "%SYSTEMROOT%\System32\wbem\wmic.exe qfe get hotfixid | %SYSTEMROOT%\System32\findstr.exe "^KB4474419""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe qfe get hotfixid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:960
  - - C:\Windows\SysWOW64\findstr.exe
      C:\Windows\System32\findstr.exe "^KB4474419"
      4⤵
      PID:1724
- - C:\Users\Admin\AppData\Local\Temp\nseA316.tmp\NPFInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\nseA316.tmp\NPFInstall.exe" -n -check_dll
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- - C:\Windows\SysWOW64\certutil.exe
    certutil -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nseA316.tmp\roots.p7b"
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\certutil.exe
    certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nseA316.tmp\signing.p7b"
    3⤵
    PID:1936
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -c
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\system32\pnputil.exe
      pnputil.exe -e
      4⤵
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:1648
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -i2
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
- - C:\Windows\SysWOW64\SCHTASKS.EXE
    SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'C:\Program Files\Npcap\CheckStatus.bat'" /NP
    3⤵
    - Creates scheduled task(s)
    PID:1612
- C:\Windows\SysWOW64\regedt32.exe
  regedt32 /S "C:\Users\Admin\AppData\Local\Temp\nso172C.tmp\nmap_performance.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\nso172C.tmp\nmap_performance.reg"
    3⤵
    - Runs .reg file with regedit
    PID:544

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5d3c886a-8b29-6e9c-a1e4-b343c0c7a05e}\NPCAP.inf" "9" "605306be3" "0000000000000494" "WinSta0\Default" "000000000000048C" "208" "C:\Program Files\Npcap"
1⤵
- Modifies data under HKEY_USERS
PID:108
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{32f6e871-cd56-2b6a-294a-2e3eb0bb2461} Global\{32d0f6d0-4719-161c-b650-b65599088e40} C:\Windows\System32\DriverStore\Temp\{7dfd46ef-1e5e-3789-c24c-2e0f872b656a}\NPCAP.inf C:\Windows\System32\DriverStore\Temp\{7dfd46ef-1e5e-3789-c24c-2e0f872b656a}\npcap.cat
  2⤵
  PID:1616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1576

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C0" "00000000000005BC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Npcap\npcap.sys

Filesize
65KB

MD5
61613f1bef848e6c08bfce931753dedc

SHA1
c902177d2ed221019ea728443ef32bfff8688d3a

SHA256
81142d0f58c32f54d54b2f3fe725a5e09b5b9b81e72704aea2ecfae15a2a9085

SHA512
358567c89e16f9e9e29d27710f46b700075dda5ecfea5f42a4c5d00c3ce3d82a69dcb3301635bd6b0f1af91c232c1b8395431cf8141061a7e8c0a4f964b7e33d

Download Submit
C:\Program Files\Npcap\NPCAP.inf

Filesize
8KB

MD5
974e3b4529ff617b0d1a3383a9f7ac74

SHA1
a7993a1758e402ca1d5529c9392f98799054f860

SHA256
aace2ab10f7849737298900e5e8fdf3f980ed311bdc8d1ac7c7006688104aab3

SHA512
7f98f2a15ddadcaf390f4876d7c849744509961866de34b04336edf192466272af3d9417fee09c1e32c5f1e9fd7b8350e93970169191cbf1eb27db1d73db16f5

Download Submit
C:\Program Files\Npcap\NPCAP_wfp.inf

Filesize
2KB

MD5
a5971e56a78ee221cd0c05c1940cc360

SHA1
92e184e154af9d3a61d7c66d90922e1064bd0895

SHA256
f0bd3192542df8e0c774c9ffcbbd8a0a92d9d2a250bec7c976b402ea900bb222

SHA512
687f4621fb931bed5061983bca394e0ea3d62bcfedaccfc08dbf83c30e1e25edf011b9e3cd24859ba0493ee595b5e1fc1e762337546a7939ef56dc4c9bdc2e93

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
c732a1b081f4a406e716d12b3ff594f6

SHA1
2b98e0f63706d6615f5aee9b1b1ced67196ab4d7

SHA256
fdec345960b26acf549129ca48b0f795c7e400f4ad5d31e5e47e5b455f5ee6ba

SHA512
93d5f085d7cb677110a415c88bcfd98b81ff43fa896ac42cb44ff7e54d71884fabcb07d890f41cebfd6abbd94d2098e9d3d292ca92948359c7132071f147c57e

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
930B

MD5
cdb427a945c2d0b25417970c21e4bc20

SHA1
bf05cb45d4894a2b0a7be53cebd74e71ef0693a1

SHA256
c0bfae4ac256a7bb346847864d2e39d107e28ebf064861b63e6dcdc534ac7b90

SHA512
5aa1be31ab65b0d82bb8e0e06e7a5bec98fda76e172022851a42656b559396d63a2dae8baa14df9e8ee18d46f434686f271b6d2fd747bdb6eeef070c156713ee

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
1KB

MD5
0067b464f08b5153e0a626fa8a19c5ef

SHA1
46afaafa09e148f05c8e0be85cbfb5dcbed99b3a

SHA256
63cf58fbb86243f5fd77795d44e57eb29f8f3ea6bb490121fa0d2b1590f536ac

SHA512
6f24373cd01de043ec4b1b9530aa46194345979a5d932f49ae4afa0a9e7679ae93e43f9e299d5891404e7eaa4d1c9fe9f26b1b557da4046355fb2df5381658ac

Download Submit
C:\Program Files\Npcap\npcap.cat

Filesize
12KB

MD5
476aefd0a4901004fb2bc4ad796910b9

SHA1
a3b4bb1c474aaca684bbfc5f686bfe8060422a6d

SHA256
a2baec34bbcbf3f655c7d6d91ad117d0aae555a2f55c0187d487b6c21c0785a2

SHA512
b93da1583b224faa3209f4083322bbc5b1b9239dd25b389bdb13406c43c66dff82ab2539dc48272908f799ff01536438f12f848af35a9092d5e84493dafeb49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA316.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA316.tmp\roots.p7b

Filesize
1KB

MD5
397a5848d3696fc6ba0823088fea83db

SHA1
9189985f027de80d4882ab5e01604c59d6fc1f16

SHA256
ad3bca6f2b0ec032c7f1fe1adb186bd73be6a332c868bf16c9765087fff1c1ca

SHA512
66129a206990753967cd98c14a0a3e0e2a73bc4cd10cf84a5a05da7bf20719376989d64c6c7880a3e4754fc74653dd49f2ffeffd55fc4ee5966f65beb857118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA316.tmp\signing.p7b

Filesize
7KB

MD5
dd4bc901ef817319791337fb345932e8

SHA1
f8a3454a09d90a09273935020c1418fdb7b7eb7c

SHA256
8e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71

SHA512
0a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso172C.tmp\nmap_performance.reg

Filesize
192B

MD5
3cd4a36a0dcc9e0e79d1df1d6cc712df

SHA1
a9b6fe5c0e01aec042e68c2bc700a721c4ecc995

SHA256
e77d7b5158ec99d19e552025facf50f477a2f2b1dc3ef2f198520cfa76e9707f

SHA512
d3d5ab7cc0943dd7ae85445449249109eeb5f871e1c7baf3139cd9e2d3858f70040102dc30b089fc99ee82ebbf99335c2323b1d070552cf7e565a1ac70ef2487

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso172C.tmp\npcap-1.71.exe

Filesize
1.1MB

MD5
40cfea6d5a3ff15caf6dd4ae88a012b2

SHA1
287b229cecf54ea110a8b8422dcda20922bdf65e

SHA256
5ccb61296c48e3f8cd20db738784bd7bf0daf8fce630f89892678b6dda4e533c

SHA512
6ac4955286a4927ce43f7e85783631c9a801605c89a18ba95dde34d90eecbf4825b09e116890c8aca8defff767ad14843303dd557a67636bed1f1709b5399024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso172C.tmp\npcap-1.71.exe

Filesize
1.1MB

MD5
40cfea6d5a3ff15caf6dd4ae88a012b2

SHA1
287b229cecf54ea110a8b8422dcda20922bdf65e

SHA256
5ccb61296c48e3f8cd20db738784bd7bf0daf8fce630f89892678b6dda4e533c

SHA512
6ac4955286a4927ce43f7e85783631c9a801605c89a18ba95dde34d90eecbf4825b09e116890c8aca8defff767ad14843303dd557a67636bed1f1709b5399024

Download Submit
\Program Files (x86)\Nmap\zenmap.exe

Filesize
441KB

MD5
9096cca0244a3f6860e31c32b01830c2

SHA1
f338101391120cb91d7892b9c4f6375557150a43

SHA256
080f3c25e76808357208530dbd45d4bd6b72377e479e4e3d1e68e77d36dd2646

SHA512
298f60583f0dc80a51ebcb70afdeacd6a38cc20b8e438b8fcfe0e7de963be3a66f3d6339b7881d338a2b5cc90b88d30a3d1692f12e7f9a5127604b0f612ed2b5

Download Submit
\Program Files (x86)\Nmap\zenmap.exe

Filesize
441KB

MD5
9096cca0244a3f6860e31c32b01830c2

SHA1
f338101391120cb91d7892b9c4f6375557150a43

SHA256
080f3c25e76808357208530dbd45d4bd6b72377e479e4e3d1e68e77d36dd2646

SHA512
298f60583f0dc80a51ebcb70afdeacd6a38cc20b8e438b8fcfe0e7de963be3a66f3d6339b7881d338a2b5cc90b88d30a3d1692f12e7f9a5127604b0f612ed2b5

Download Submit
\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\System.dll

Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nseA316.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
\Users\Admin\AppData\Local\Temp\nso172C.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
\Users\Admin\AppData\Local\Temp\nso172C.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
\Users\Admin\AppData\Local\Temp\nso172C.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
\Users\Admin\AppData\Local\Temp\nso172C.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
\Users\Admin\AppData\Local\Temp\nso172C.tmp\npcap-1.71.exe

Filesize
1.1MB

MD5
40cfea6d5a3ff15caf6dd4ae88a012b2

SHA1
287b229cecf54ea110a8b8422dcda20922bdf65e

SHA256
5ccb61296c48e3f8cd20db738784bd7bf0daf8fce630f89892678b6dda4e533c

SHA512
6ac4955286a4927ce43f7e85783631c9a801605c89a18ba95dde34d90eecbf4825b09e116890c8aca8defff767ad14843303dd557a67636bed1f1709b5399024

Download Submit
memory/1112-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1616-104-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1996-112-0x0000000073710000-0x0000000073CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-111-0x0000000073710000-0x0000000073CBB000-memory.dmp

Filesize
5.7MB

Download