hxxps://nmap[.]org/

Analysis

max time kernel
285s
max time network
266s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://nmap.org/

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETF930.tmp	NPFInstall.exe
File created	C:\Windows\system32\DRIVERS\SETF930.tmp	NPFInstall.exe
File opened for modification	C:\Windows\system32\DRIVERS\npcap.sys	NPFInstall.exe

Executes dropped EXE 6 IoCs

pid	Process
4604	nmap-7.93-setup.exe
2028	npcap-1.71.exe
896	NPFInstall.exe
4284	NPFInstall.exe
3648	NPFInstall.exe
3336	NPFInstall.exe

Loads dropped DLL 17 IoCs

pid	Process
4604	nmap-7.93-setup.exe
4604	nmap-7.93-setup.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
2028	npcap-1.71.exe
4604	nmap-7.93-setup.exe
4604	nmap-7.93-setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Packet.dll	npcap-1.71.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.71.exe
File created	C:\Windows\system32\WlanHelper.exe	npcap-1.71.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\SETEA7A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\SETEABB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b5b1a6e95c9e3ae5\NPCAP.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	NPFInstall.exe
File created	C:\Windows\system32\wpcap.dll	npcap-1.71.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b5b1a6e95c9e3ae5\npcap.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b5b1a6e95c9e3ae5\npcap.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\SETEA7A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\SETEA7B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b5b1a6e95c9e3ae5\npcap.cat	DrvInst.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.71.exe
File created	C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\SETEA7B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\NPCAP.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\SysWOW64\WlanHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.71.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\npcap.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Packet.dll	npcap-1.71.exe
File created	C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\SETEABB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	NPFInstall.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nmap\scripts\http-robtex-reverse-ip.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ipv6-node-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\vtam-enum.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\licenses\BSD-simplified	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\cups-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\cvs-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-open-proxy.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-vuln-cve2006-3392.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ntp-monlist.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\oracle-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\omp2.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\psexec\examples.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nse_main.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\mysql-dump-hashes.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smtp-ntlm-info.nse	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\sqlite3.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\mrinfo.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libpng14-14.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\auth-spoof.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-rip-discover.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-affiliate-id.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-headers.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-majordomo2-dir-traversal.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ms-sql-hasdbaccess.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\stuxnet-detect.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\hnap-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-enum-shares.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-enum-users.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\brute.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\netbios.lua	nmap-7.93-setup.exe
File created	C:\Program Files\Npcap\Uninstall.exe	npcap-1.71.exe
File created	C:\Program Files (x86)\Nmap\scripts\cics-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-form-fuzzer.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\redis.lua	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\_socket.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\rsync-list-modules.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\targets-traceroute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\dns.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\msrpc.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-enum-sessions.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\mssql.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\nessus-xmlrpc-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smtp-strangeport.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\favicon-db	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ip-geolocation-geoplugin.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\openbsd_32.png	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\openflow-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\win_75.png	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\sqlite3.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-vuln-misfortune-cookie.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\nje-pass-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libpangocairo-1.0-0.dll	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\etc\bash_completion.d\gdbus-bash-completion.sh	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\informix-query.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\stdnse.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\stringaux.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\vulns.lua	nmap-7.93-setup.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files (x86)\Nmap\nmap-protocols	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-tellstick-discover.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\creds-summary.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\eap-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\rpcinfo.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-vuln-ms10-054.nse	nmap-7.93-setup.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	NPFInstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 38 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d42e80ebae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3197593"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe3000000000200000000001066000000010000200000004b0b6d2e40f98bd4be36abde89c34c068ec9f7b62f6624cd140a70a71b3f4539000000000e8000000002000020000000dee2a604591d1d2cbf7d1175c9d9d77dc71b5dac7d5be1f2eae0793127af7f70200000009d4c65575221870d9b9878d6fcca03a9b472e416b52d127167245a956029367140000000e680f6d54a0528d9f36b23060d15219b58623b8df5bdd6f257784e7403a7763efb00d392f90ec5a7df0a050222488bd196dc4f6743ca6a0bc12e9eaa209a8d97	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 709d1afe6264d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31024227"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe3000000000200000000001066000000010000200000008322806b9c5c7e1673e5bc9e3fb8cf00f11db07169733044f258d138cd6c00a1000000000e800000000200002000000088b85cb2c6203afea977fca10bb053ab58a49cdb7ef84a6eae695b2ca8abddeb2000000097c9aa9db7585dad22aba9b02c4de3d12a1d3bc9cb1dd6aacd6aec91224c7f2c4000000030d9daa9e59f7dbe472e4d4a02ea9c7fe29c2ec7e3faac64cc5d6c39e6b37ee010a0f05bcef4d959df96f2b9df00592a05db6ca9ed90f977fb360f77103a43e5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3197593"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31024227"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe300000000020000000000106600000001000020000000ee8ae40e8051293be483fb9cab54a9798e99c570143c473a3ec84e20a3af8201000000000e80000000020000200000002f721ef6b804cec7c6f20f3c6861c62c3b07da046b2c211cd97dc75de7b7218520000000181022cc34611f2f0d32272f7a39f81ba2fec8780cfb9b48eb5cb8844528ef2e4000000090c453a2789460764c597d0afab87d846145c78fe8cb8c35dd1d388a0a786806d26c323495fb0354fec1ca6e6f2da3a96b4bf83db341d657e7f15b64cf76f166	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387095379"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2B177B69-D056-11ED-9EF6-7E7B9EA57A36} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e01ef8f26264d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31024227"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "18510838"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8096f1136364d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{9F616123-E374-4690-9D1A-0EA0581C5BF1}"	iexplore.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4824	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
896	NPFInstall.exe
896	NPFInstall.exe
4732	powershell.exe
4732	powershell.exe
1624	powershell.exe
1624	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	896	NPFInstall.exe
Token: SeAuditPrivilege	2424	svchost.exe
Token: SeSecurityPrivilege	2424	svchost.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeIncreaseQuotaPrivilege	1624	powershell.exe
Token: SeSecurityPrivilege	1624	powershell.exe
Token: SeTakeOwnershipPrivilege	1624	powershell.exe
Token: SeLoadDriverPrivilege	1624	powershell.exe
Token: SeSystemProfilePrivilege	1624	powershell.exe
Token: SeSystemtimePrivilege	1624	powershell.exe
Token: SeProfSingleProcessPrivilege	1624	powershell.exe
Token: SeIncBasePriorityPrivilege	1624	powershell.exe
Token: SeCreatePagefilePrivilege	1624	powershell.exe
Token: SeBackupPrivilege	1624	powershell.exe
Token: SeRestorePrivilege	1624	powershell.exe
Token: SeShutdownPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeSystemEnvironmentPrivilege	1624	powershell.exe
Token: SeRemoteShutdownPrivilege	1624	powershell.exe
Token: SeUndockPrivilege	1624	powershell.exe
Token: SeManageVolumePrivilege	1624	powershell.exe
Token: 33	1624	powershell.exe
Token: 34	1624	powershell.exe
Token: 35	1624	powershell.exe
Token: 36	1624	powershell.exe
Token: SeIncreaseQuotaPrivilege	1624	powershell.exe
Token: SeSecurityPrivilege	1624	powershell.exe
Token: SeTakeOwnershipPrivilege	1624	powershell.exe
Token: SeLoadDriverPrivilege	1624	powershell.exe
Token: SeSystemProfilePrivilege	1624	powershell.exe
Token: SeSystemtimePrivilege	1624	powershell.exe
Token: SeProfSingleProcessPrivilege	1624	powershell.exe
Token: SeIncBasePriorityPrivilege	1624	powershell.exe
Token: SeCreatePagefilePrivilege	1624	powershell.exe
Token: SeBackupPrivilege	1624	powershell.exe
Token: SeRestorePrivilege	1624	powershell.exe
Token: SeShutdownPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeSystemEnvironmentPrivilege	1624	powershell.exe
Token: SeRemoteShutdownPrivilege	1624	powershell.exe
Token: SeUndockPrivilege	1624	powershell.exe
Token: SeManageVolumePrivilege	1624	powershell.exe
Token: 33	1624	powershell.exe
Token: 34	1624	powershell.exe
Token: 35	1624	powershell.exe
Token: 36	1624	powershell.exe
Token: SeIncreaseQuotaPrivilege	1624	powershell.exe
Token: SeSecurityPrivilege	1624	powershell.exe
Token: SeTakeOwnershipPrivilege	1624	powershell.exe
Token: SeLoadDriverPrivilege	1624	powershell.exe
Token: SeSystemProfilePrivilege	1624	powershell.exe
Token: SeSystemtimePrivilege	1624	powershell.exe
Token: SeProfSingleProcessPrivilege	1624	powershell.exe
Token: SeIncBasePriorityPrivilege	1624	powershell.exe
Token: SeCreatePagefilePrivilege	1624	powershell.exe
Token: SeBackupPrivilege	1624	powershell.exe
Token: SeRestorePrivilege	1624	powershell.exe
Token: SeShutdownPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeSystemEnvironmentPrivilege	1624	powershell.exe
Token: SeRemoteShutdownPrivilege	1624	powershell.exe
Token: SeUndockPrivilege	1624	powershell.exe
Token: SeManageVolumePrivilege	1624	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1280	iexplore.exe
1280	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1280	iexplore.exe
1280	iexplore.exe
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
4604	nmap-7.93-setup.exe
2028	npcap-1.71.exe
896	NPFInstall.exe
4284	NPFInstall.exe
3648	NPFInstall.exe
3336	NPFInstall.exe
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1652	1280	iexplore.exe	83
PID 1280 wrote to memory of 1652	1280	iexplore.exe	83
PID 1280 wrote to memory of 1652	1280	iexplore.exe	83
PID 1280 wrote to memory of 4604	1280	iexplore.exe	92
PID 1280 wrote to memory of 4604	1280	iexplore.exe	92
PID 1280 wrote to memory of 4604	1280	iexplore.exe	92
PID 4604 wrote to memory of 2028	4604	nmap-7.93-setup.exe	94
PID 4604 wrote to memory of 2028	4604	nmap-7.93-setup.exe	94
PID 4604 wrote to memory of 2028	4604	nmap-7.93-setup.exe	94
PID 2028 wrote to memory of 896	2028	npcap-1.71.exe	95
PID 2028 wrote to memory of 896	2028	npcap-1.71.exe	95
PID 2028 wrote to memory of 1500	2028	npcap-1.71.exe	97
PID 2028 wrote to memory of 1500	2028	npcap-1.71.exe	97
PID 2028 wrote to memory of 1500	2028	npcap-1.71.exe	97
PID 2028 wrote to memory of 4808	2028	npcap-1.71.exe	99
PID 2028 wrote to memory of 4808	2028	npcap-1.71.exe	99
PID 2028 wrote to memory of 4808	2028	npcap-1.71.exe	99
PID 2028 wrote to memory of 4284	2028	npcap-1.71.exe	101
PID 2028 wrote to memory of 4284	2028	npcap-1.71.exe	101
PID 4284 wrote to memory of 4188	4284	NPFInstall.exe	103
PID 4284 wrote to memory of 4188	4284	NPFInstall.exe	103
PID 2028 wrote to memory of 3648	2028	npcap-1.71.exe	105
PID 2028 wrote to memory of 3648	2028	npcap-1.71.exe	105
PID 2028 wrote to memory of 3336	2028	npcap-1.71.exe	107
PID 2028 wrote to memory of 3336	2028	npcap-1.71.exe	107
PID 2424 wrote to memory of 2008	2424	svchost.exe	111
PID 2424 wrote to memory of 2008	2424	svchost.exe	111
PID 2028 wrote to memory of 4732	2028	npcap-1.71.exe	113
PID 2028 wrote to memory of 4732	2028	npcap-1.71.exe	113
PID 2028 wrote to memory of 4732	2028	npcap-1.71.exe	113
PID 2028 wrote to memory of 1624	2028	npcap-1.71.exe	114
PID 2028 wrote to memory of 1624	2028	npcap-1.71.exe	114
PID 2028 wrote to memory of 1624	2028	npcap-1.71.exe	114
PID 4604 wrote to memory of 1884	4604	nmap-7.93-setup.exe	117
PID 4604 wrote to memory of 1884	4604	nmap-7.93-setup.exe	117
PID 4604 wrote to memory of 1884	4604	nmap-7.93-setup.exe	117
PID 1884 wrote to memory of 4824	1884	regedt32.exe	118
PID 1884 wrote to memory of 4824	1884	regedt32.exe	118
PID 1884 wrote to memory of 4824	1884	regedt32.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://nmap.org/
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1652
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\nmap-7.93-setup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\nmap-7.93-setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\npcap-1.71.exe
    "C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\npcap-1.71.exe" /loopback_support=no
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\NPFInstall.exe
      "C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\NPFInstall.exe" -n -check_dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:896
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\roots.p7b"
      4⤵
      PID:1500
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\signing.p7b"
      4⤵
      PID:4808
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -c
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\SYSTEM32\pnputil.exe
        
        pnputil.exe -e
        5⤵
        
        PID:4188
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3648
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -i
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:3336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1624
- - C:\Windows\SysWOW64\regedt32.exe
    regedt32 /S "C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\nmap_performance.reg"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\nmap_performance.reg"
      4⤵
      Runs .reg file with regedit
      PID:4824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{9cae471d-4e9b-224e-bf78-0da86e7b878c}\NPCAP.inf" "9" "405306be3" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Npcap"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Npcap\npcap.cat

Filesize
12KB

MD5
be2a59b225dace6a52b98f17678786c0

SHA1
abec30ea6b668f9ccff77209d54b971ce6a22711

SHA256
43d10d470320041e663a82439d79cfac78de99addd98e02c4d60171710d032b2

SHA512
9a9acfe84f822b7f20148725a4abaa51118759f5688d4a3841c4a9e73b59801128adf4df54a14078408fb14ad0acea068a2bdd1cf0f9ffc6c44e6e38721f79d6

Download Submit
C:\PROGRA~1\Npcap\npcap.sys

Filesize
75KB

MD5
08a2def8efc2619ddabe13a041703aea

SHA1
f9fd929c77d5a47766623abaa7490bcd98b3ad97

SHA256
a2039b552dfacd4edc2b8ed42bbe32cb0a481240fce18f78aeb1a68dbb747d39

SHA512
0afb5d2dd6747b37162494f4f90387160c5b90c58a71703d2ddd07256e848ee1f3e4237b660d511262255e54038ab11699808526a3574450c9407eb1e830dfac

Download Submit
C:\Program Files (x86)\Nmap\py2exe\share\icons\hicolor\index.theme

Filesize
21KB

MD5
5138b82a57488ee821b8a38c2aa1420e

SHA1
28a356d5199ba3d64655b81c4d4f2cf950051589

SHA256
a4dfe3c4193014577207c4bbcf9a511238ba6d05665322e253f0fe599290c5fb

SHA512
b3be3d31d7a0b7aaf1269f766e1772fe866d312839ebe3fb2e09e793954be322a2e0160471f86e82c0ba1308227420887d02f9c8a10448cb963d0f6a258ef018

Download Submit
C:\Program Files (x86)\Nmap\py2exe\share\themes\MS-Windows\gtk-2.0\gtkrc

Filesize
1KB

MD5
94d104680cec5f3d8bbec56258d0c926

SHA1
72ede372fcb34b29754f20ad44f49bc8605cf22c

SHA256
e9dd3015f76e05f185ebe7564d364aef8b8168b05e62421c99875e14e4597977

SHA512
cf7d04304fa58e2dd9a8492b31b065c03c1f7ea96ab71d7d3d212eb17436c7c181470c23296fa3f599f1ef56c6b243921ed7f0a92ad3e0a6cd40a5fe857955a9

Download Submit
C:\Program Files (x86)\Nmap\zenmap.exe

Filesize
441KB

MD5
9096cca0244a3f6860e31c32b01830c2

SHA1
f338101391120cb91d7892b9c4f6375557150a43

SHA256
080f3c25e76808357208530dbd45d4bd6b72377e479e4e3d1e68e77d36dd2646

SHA512
298f60583f0dc80a51ebcb70afdeacd6a38cc20b8e438b8fcfe0e7de963be3a66f3d6339b7881d338a2b5cc90b88d30a3d1692f12e7f9a5127604b0f612ed2b5

Download Submit
C:\Program Files\Npcap\NPCAP.inf

Filesize
8KB

MD5
ff536154cf4932322ca818eda6712e49

SHA1
873bb1d640cdc9c41596f46fbc37b48a5d6b03cd

SHA256
4c1b4785d35a4828b98b7acacf8b18b0a4e4d0c9da683cd9294f6a6ae6cf7bf2

SHA512
164d9c7eca15fa83aa2645fd4eefbf2a562b49615978b72f6c9c1b072cbdd1bffdc3295d95b69d2cf26dba67f25d6fe82ddbfa6decda07fa855bfa3c2311d7b4

Download Submit
C:\Program Files\Npcap\NPCAP_wfp.inf

Filesize
2KB

MD5
4b72b37d904cbf298fb8351cc80a048e

SHA1
f77357bd263f88acdb1b5cad300e7b116a1c2ee7

SHA256
953b89b39c78dafb27a05f27bc8faa97c70f2a6ec3bc2f81070a46b85d305f08

SHA512
e63d013ca9badc2d40634c6bdc1629adbade70a65753f317c7e7ac09078ad299105ad6e37fb18a8a6a0b0d994a2ea01c32a55cbc9a19b53466cd49603ee81181

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
393B

MD5
cad5c541fb21d77a34f62afc696acc8d

SHA1
26a8c925fa5e6281cb482979fdc055a1c9b2fdfa

SHA256
29d0d61e9187c30f5dc6bd5c895fe848a79a9a787c25ef9a0b7f8087d6f7e53f

SHA512
685dcd104ad0e05472b9d9221588b17f27c504e868e7e3f3ce438b1f6a9ecd07d77a1e70f5ea190450593f008f2b5628511bc9303d5b7768924fa2e4b18cf616

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
1KB

MD5
e608afa49383bcd905e6fa122e524b7c

SHA1
6a0270612d6738c2ee0a26dc3e88251cc952f728

SHA256
6134730e77e1fc664b706fc93d379c84d14b8ad051dec3f0f5c73a4535cdc70b

SHA512
00883044523cb03738fa18b55ce0c2242c8636abcd821d6dc570b4c4ebc71022c457ed530de04f6792dad5ac215bd8ed1fb6038a31773303c29b01449b40e93a

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
1KB

MD5
08e6753418e19a109dcdaeab887da04c

SHA1
d155b2bb711ac8548e8c939899dbbb33d85675ed

SHA256
ab1f1f7e3825f3214ad5cb82f464660ccf635b27c60051db3241e4ef7839fda7

SHA512
3b33e5931aa897deea41b32377228e68ee6e27fce5f16d22655373148358fc8fa5b2142a9e1bd889d6115a50e59fed12977120ff1efca0d892e031305173e90f

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
e6e5d8c72311b9662548cff60ae20024

SHA1
92e7a4ea782e3a2b96b4bc22b7cf3a913128869d

SHA256
d987167307e644d0fce13942cb1eae41717c88944697dab6619319652e7ca612

SHA512
5232a2f760c17647a0d8017572d8c1f21355c584d02e76f52702704ce3b865a5a260a013c1911051fd6e62c4d7b514f9b30f953df1df2cd8446700f7a98ef07a

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
646b1a2eb57e518f89f206248e4e1488

SHA1
c13574f744887ba7a4e244f8ad5e8cb2f26b0369

SHA256
abd851167a9324e01b95a9c7757c3c63ac45bc51b41f61866b3f98ee959505c8

SHA512
96f5b8da826c095a5718e030a5ab74d05bae20b23d82ade917f4f5183af68021973709b6d7b86e230f11e14b18e75fd5f8a0b9273ccf4698453f52486bdae5fa

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
42ee3a8042f35a8146b9b9a116f950f4

SHA1
474385529b6a5e716be1d1d02e848eeafcb884e7

SHA256
10c3533f4afb5d38ff2614735c854ac585c9f7ce90bea87b92a670f3584ba8db

SHA512
89123172e27d8e8cf881223ede5adf324dcfab79deb5fbfa227f2f69755cd48acd426daf20451d92ed24d65dba042161b0ca11270dbf203deba03314ae5ded5e

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
958c0b30c45b472c6dbd3d72291152d1

SHA1
feeb1780aebab96dd9e44fe88459d5f88238d26d

SHA256
3a1650dd5d93b6e66e469916fc6ed26f84d4702ba3b7816904cc8304992abb0d

SHA512
682089372225024a3d11eb2a722862616a78c85f34661522fb98f4ec873a35125be806294714e2f37ed0291a4a17aecd54bbb1c318d78a5bfad7809976c56abf

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
4KB

MD5
acdc3404f065ccf7f92b2fcba6521457

SHA1
ea2d3ea6e01cb3b1f3b1bb8ffdc842fe73023ff6

SHA256
0c91c909795e214b5f18f470b449e3ac75f6fac3f7c84e92d67a36e0964a84d7

SHA512
47406f56030cd1b434c046c5a459f773ecfbc1a368cf5730b79cbe4851825f3b177ab35f5c1bae6c769125f7461e718384b673926aebfaf7afb609e45a5f1806

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
4KB

MD5
b75ba422854d5b06ee263c06ac0f2f7e

SHA1
70414725c5895588d253a3ccf572f68bd12e27ed

SHA256
15ad9bce3b42ce2a492993d82f412633fd7655ceae6568037904f72446df4cb6

SHA512
dae075750b614d1f8e8ceb397c089b09486f3ff03dbacba3f2c3dde1687c75b64d4318650f65b14bef9557f7833094238b95add4b7f9696660e1285f07ff9c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
bdbbd793778777706223b00a4ea24ed0

SHA1
bf09527cebe8906bfe6aa1e885bc9fb1b3ec54e4

SHA256
8b1034038298faf34d3f580c1ded7212f40d146de7e62cff20826c8b53f80c36

SHA512
7397d981e28bee91dd0e08c3a38444d8524204118548e8db810f5a277cbb08c20a64350063cf36ee4a943edba249f1d0ed350d4cfbc0671461cf27c2534c1f13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
8aad5f0351ab6e7a0120c366aa5de460

SHA1
9af465b30a2d1292448460f6db7394800209d154

SHA256
913ecb355ac34418c2d88ab95df8f9e5033c5b39a9d346d6d8d2cd6e0d5b4226

SHA512
5f0203f2bf16c27011ff65d3b2f1cd73f50bd385406b5f3a3fdc90c3a5466da1aa591a8508982bec33c244f3657b3ffc7cd03fb8103534210e05180f500a7d01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\feo4h2u\imagestore.dat

Filesize
669B

MD5
ae0b45ca9987207bc7d403fc26a5f48f

SHA1
5bc06e868dcb08d949535d8cf255a73c82b1aca0

SHA256
9da0d00a800279c3ccbb601360027811a189949209a4041d99b74768e036c4fe

SHA512
96c4ba865bc879335c7b0ea7d593513f3bc6443317af3cced307f40d04bcfcbb5915dc563f0d63629944f0bf488c847112bde37e56861643cfff748872eaf807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\nst-foot[1].css

Filesize
582B

MD5
18a9b5d9360b49bebfecf8c8b1034516

SHA1
58902ffefd2686509513f0447bb2d12715718039

SHA256
7e7cea08e6a6d377fa2407e7d38d01ec9436db3be15a139139131a349ca11031

SHA512
38db8911fbaf5beeb60b7e8ae824cad86e3bd7e3d9115ea310079657daadb64ae1e39a70cf35e8adce8f86fc2e265d88b057a065d46788ea13539ff0c54f0cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\nst-icons[1].svg

Filesize
4KB

MD5
9f814a1ed91311ea7fcb9e57ffe607e2

SHA1
209b97dde559e18a997d2b0c5bdf589e28375ece

SHA256
a4afe1a251df03f0bfacffdb4206c5c1e209bdc6c7566cc02f2447b5d561da26

SHA512
744f0bf0d2aef6967d86ea7599a0eb4f2c319e6a2d839a199d4ec476f547ad0ac75f46d59043c8a57cc6713e87345357074d797412a429a311272e830df709c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\nmap-7.93-setup.exe

Filesize
27.8MB

MD5
f9e753cccea0ffae6871dc65f67d3f89

SHA1
ab2de49f90330cc3b305457a9a0f897f296e95f4

SHA256
f1160a33fb79c764cdc4c023fa700054ae2945ed91880e37348a17c010ca716f

SHA512
0c6f6c14ecf8ef028e6a556f58e720321a7808b0a1f602e019f6b21d9cef970424185c27e7647368d2fca256d47844310d76d626209d406a961d048063410d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\nmap-7.93-setup.exe.su12gup.partial

Filesize
27.8MB

MD5
f9e753cccea0ffae6871dc65f67d3f89

SHA1
ab2de49f90330cc3b305457a9a0f897f296e95f4

SHA256
f1160a33fb79c764cdc4c023fa700054ae2945ed91880e37348a17c010ca716f

SHA512
0c6f6c14ecf8ef028e6a556f58e720321a7808b0a1f602e019f6b21d9cef970424185c27e7647368d2fca256d47844310d76d626209d406a961d048063410d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\site[1].css

Filesize
857B

MD5
82a8c77600b4823ae50e246b00e918bd

SHA1
6c5e2fe4e79a07ea3e687bef06958ae2c15adfab

SHA256
fb3189e1819eaaa51565d33b0f4d7c4d2935c179d35091986ced0184c8eb10e2

SHA512
d18afcd3023e0a6f876ba80b0969410ceeb4569e1e85b5f02f27c449b3f9c14d16797d27369e48f0f29d2a6fb461257d7c8c74f5cca5a0777ab04c5f751ca6dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\tiny-eyeicon[1].png

Filesize
529B

MD5
156515da3c0f7dc6b2493bd5ce43f795

SHA1
3e315ef3c5d4c09d015340b4690e6d36c1203858

SHA256
f22e309dc81ff661756822b865f2a272a00e54af69a314392b0f16b0cb54df15

SHA512
c02e4bbdc946c69816e4608ee19a58a4e76e177a6f09e1dc7e9592558da7acb9f0df0aea860dc230c2d40d1b57a2c189d8ef43307cf20dd3b293f308abe49d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUIKWEAJ\nst[1].css

Filesize
4KB

MD5
c9c2695da6fa456c1ec4328677dc26c8

SHA1
ced662a762260b30067707e563b58e58d87830c6

SHA256
98bc139fa500051e9012903f725190227462f18c32cb8fe809d1778767f60cdf

SHA512
f8a50b238a992d72c642c68540766ebe126cf8ff83c8d3f96a5b099c9cdcbe86fab8249acdec786703633d390747432e34c35c57609e5c4897795379ceeb45c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUIKWEAJ\nst[1].js

Filesize
2KB

MD5
adcaef2b162408984cd0a23cd72cbba6

SHA1
7b84b10369c2cdb29134526a0829456201930339

SHA256
a0f3b9ad8e394c21d82cb54a26f93a8b6468ac5f4125fdd1d124fd2b22aa7e7c

SHA512
8b7b9749ea36c334768f5cbee53164777360611628078a384f689ee9fe12c6e772d21c6ab833d2810ffcb8b0e7b9e9f37c825dfb9b29deda4c23995a075c290e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WPCK8CWE\analytics[1].js

Filesize
49KB

MD5
54e51056211dda674100cc5b323a58ad

SHA1
26dc5034cb6c7f3bbe061edd37c7fc6006cb835b

SHA256
5971b095cff574a66d35ada016d4c077c86e2dea62e9c0f14cf7c94b258619de

SHA512
e305d190287c28ca0cc2e45b909a304194175bb08351ad3f22825b1d632b1a217fb4b90dfd395637932307a8e0cc01da2f47831fa4eda91a18e49efe6685b74b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
89fa00d4801878a816ef6490fbaa06a0

SHA1
9ecf34ea8850b1a4f5e2246c0cd7e6043c261840

SHA256
49d989ecb1e76ef4f054343816ab6780bc6feb2d76a78a660d44aa9633bf04c5

SHA512
f39ea893ec703fe6d67b4b76d8a4ec56e130c8e0fe0d922d82fe84f6e0ec7cddb8fd6f8a0e14b8fd0d7f89397b3e7c57e0f9bd68b41b34687d245d6a807be88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dawhmrqi.gnb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\final.ini

Filesize
566B

MD5
71776947effb76fc8200e5144e2684dc

SHA1
b548dacd0a28763e328bb199ae5781c0ac0858b9

SHA256
70ca60efc07f136d638c71d5eb5d68dc0f30e68497099f3fa90dd066f5e4231b

SHA512
5fc202475aaa7afdf105015b92d251d0a7d56831837d6f1de7ffc2124eeb15cc3ebe827a1716cea34e3c9f50dba79c88ea55849d14729c1a687201e1e29b3fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\nmap_performance.reg

Filesize
192B

MD5
3cd4a36a0dcc9e0e79d1df1d6cc712df

SHA1
a9b6fe5c0e01aec042e68c2bc700a721c4ecc995

SHA256
e77d7b5158ec99d19e552025facf50f477a2f2b1dc3ef2f198520cfa76e9707f

SHA512
d3d5ab7cc0943dd7ae85445449249109eeb5f871e1c7baf3139cd9e2d3858f70040102dc30b089fc99ee82ebbf99335c2323b1d070552cf7e565a1ac70ef2487

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\nmap_performance.reg

Filesize
192B

MD5
3cd4a36a0dcc9e0e79d1df1d6cc712df

SHA1
a9b6fe5c0e01aec042e68c2bc700a721c4ecc995

SHA256
e77d7b5158ec99d19e552025facf50f477a2f2b1dc3ef2f198520cfa76e9707f

SHA512
d3d5ab7cc0943dd7ae85445449249109eeb5f871e1c7baf3139cd9e2d3858f70040102dc30b089fc99ee82ebbf99335c2323b1d070552cf7e565a1ac70ef2487

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\npcap-1.71.exe

Filesize
1.1MB

MD5
40cfea6d5a3ff15caf6dd4ae88a012b2

SHA1
287b229cecf54ea110a8b8422dcda20922bdf65e

SHA256
5ccb61296c48e3f8cd20db738784bd7bf0daf8fce630f89892678b6dda4e533c

SHA512
6ac4955286a4927ce43f7e85783631c9a801605c89a18ba95dde34d90eecbf4825b09e116890c8aca8defff767ad14843303dd557a67636bed1f1709b5399024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\npcap-1.71.exe

Filesize
1.1MB

MD5
40cfea6d5a3ff15caf6dd4ae88a012b2

SHA1
287b229cecf54ea110a8b8422dcda20922bdf65e

SHA256
5ccb61296c48e3f8cd20db738784bd7bf0daf8fce630f89892678b6dda4e533c

SHA512
6ac4955286a4927ce43f7e85783631c9a801605c89a18ba95dde34d90eecbf4825b09e116890c8aca8defff767ad14843303dd557a67636bed1f1709b5399024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\shortcuts.ini

Filesize
452B

MD5
4a0bbe8383346a2146fa07b5025c30f5

SHA1
2205fe641f61731d4f7f12ca067c77b0982d77ff

SHA256
8d9cc8e0073c30116218d0630063591063666b0d74efccbe4604341766bebab8

SHA512
2c095366310ca58e1586b339b9ce5f5b990e3015611923fb34ce444e006f90bfdb1591bcea6c867eb69eb8811dd2b401a7faed015a58d7b1a14397979cce9874

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse101A.tmp\shortcuts.ini

Filesize
522B

MD5
333caa774a2d3948c91b9d3489492479

SHA1
60f8e7390c24e77258a3b7dff802acd3b100cdf8

SHA256
346f8c79a52ffef68e3e8e6e3d61925388f090dca06f4401a191a171ecad9d18

SHA512
b9b754f201cb0ec32075ebabe7cfa4aca1c11fed81879503756b7445d1ccad19e1f5805ec13eb3c80f25649f44811092cf1e64526826d075a0ae74e0c0bee490

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\System.dll

Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\System.dll

Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\final.ini

Filesize
568B

MD5
cae757421db8d011e41266bfd9439885

SHA1
7108a9f0740ee4e3a118f6ac9212e0446f074181

SHA256
ff350a68202aadb145f590c8579f9284d2e3c324b0369fde39e5a3a31d7b8204

SHA512
785d19c796834065c823a7da99036378bba54b932ea1e47d4ba0c1d123a0a09ec307a3459fb862221de74ce61d9a8d7ec73901c9de007d31e7b39eb7a19b16b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\options.ini

Filesize
2KB

MD5
5c12cb2bec2ac5638afa58c50594efbf

SHA1
f7838c285482781b4b3470a917511e46b2f529a3

SHA256
6be0dbd9dae055bf41c260fa807241f5bd64e270978bc1c56ee133a8ace9ea97

SHA512
e2a67b32fce1aab31850a999842603197fa6a64deab28b1d090f18b2bb5bb3c01bae93fc97ba0edc0e1d45fb74878d55dfeef3d051d301bd079b4314003f7b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\options.ini

Filesize
2KB

MD5
cf321ab3761d0c08f10a01d222b64fb7

SHA1
1001636f0da6044b5ff2df0927521a446d52ec61

SHA256
976d505447eb775d795a5b43c173bad7611c691089f2a3cb44ab7a83a0a45a74

SHA512
8b336f9e71dbdda9aeb1c8031dd12abedad97720c74181e07df6112fb388bd6b6cd54a4aabc0832ba590eef9e431f63482f85569a8769a82310f078a202c8b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\roots.p7b

Filesize
1KB

MD5
397a5848d3696fc6ba0823088fea83db

SHA1
9189985f027de80d4882ab5e01604c59d6fc1f16

SHA256
ad3bca6f2b0ec032c7f1fe1adb186bd73be6a332c868bf16c9765087fff1c1ca

SHA512
66129a206990753967cd98c14a0a3e0e2a73bc4cd10cf84a5a05da7bf20719376989d64c6c7880a3e4754fc74653dd49f2ffeffd55fc4ee5966f65beb857118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBB3F.tmp\signing.p7b

Filesize
7KB

MD5
dd4bc901ef817319791337fb345932e8

SHA1
f8a3454a09d90a09273935020c1418fdb7b7eb7c

SHA256
8e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71

SHA512
0a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9CAE4~1\npcap.cat

Filesize
12KB

MD5
be2a59b225dace6a52b98f17678786c0

SHA1
abec30ea6b668f9ccff77209d54b971ce6a22711

SHA256
43d10d470320041e663a82439d79cfac78de99addd98e02c4d60171710d032b2

SHA512
9a9acfe84f822b7f20148725a4abaa51118759f5688d4a3841c4a9e73b59801128adf4df54a14078408fb14ad0acea068a2bdd1cf0f9ffc6c44e6e38721f79d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9CAE4~1\npcap.sys

Filesize
75KB

MD5
08a2def8efc2619ddabe13a041703aea

SHA1
f9fd929c77d5a47766623abaa7490bcd98b3ad97

SHA256
a2039b552dfacd4edc2b8ed42bbe32cb0a481240fce18f78aeb1a68dbb747d39

SHA512
0afb5d2dd6747b37162494f4f90387160c5b90c58a71703d2ddd07256e848ee1f3e4237b660d511262255e54038ab11699808526a3574450c9407eb1e830dfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9cae471d-4e9b-224e-bf78-0da86e7b878c}\NPCAP.inf

Filesize
8KB

MD5
ff536154cf4932322ca818eda6712e49

SHA1
873bb1d640cdc9c41596f46fbc37b48a5d6b03cd

SHA256
4c1b4785d35a4828b98b7acacf8b18b0a4e4d0c9da683cd9294f6a6ae6cf7bf2

SHA512
164d9c7eca15fa83aa2645fd4eefbf2a562b49615978b72f6c9c1b072cbdd1bffdc3295d95b69d2cf26dba67f25d6fe82ddbfa6decda07fa855bfa3c2311d7b4

Download Submit
C:\Windows\INF\oem3.inf

Filesize
8KB

MD5
ff536154cf4932322ca818eda6712e49

SHA1
873bb1d640cdc9c41596f46fbc37b48a5d6b03cd

SHA256
4c1b4785d35a4828b98b7acacf8b18b0a4e4d0c9da683cd9294f6a6ae6cf7bf2

SHA512
164d9c7eca15fa83aa2645fd4eefbf2a562b49615978b72f6c9c1b072cbdd1bffdc3295d95b69d2cf26dba67f25d6fe82ddbfa6decda07fa855bfa3c2311d7b4

Download Submit
C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b5b1a6e95c9e3ae5\npcap.inf

Filesize
8KB

MD5
ff536154cf4932322ca818eda6712e49

SHA1
873bb1d640cdc9c41596f46fbc37b48a5d6b03cd

SHA256
4c1b4785d35a4828b98b7acacf8b18b0a4e4d0c9da683cd9294f6a6ae6cf7bf2

SHA512
164d9c7eca15fa83aa2645fd4eefbf2a562b49615978b72f6c9c1b072cbdd1bffdc3295d95b69d2cf26dba67f25d6fe82ddbfa6decda07fa855bfa3c2311d7b4

Download Submit
C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\SETEA7A.tmp

Filesize
12KB

MD5
be2a59b225dace6a52b98f17678786c0

SHA1
abec30ea6b668f9ccff77209d54b971ce6a22711

SHA256
43d10d470320041e663a82439d79cfac78de99addd98e02c4d60171710d032b2

SHA512
9a9acfe84f822b7f20148725a4abaa51118759f5688d4a3841c4a9e73b59801128adf4df54a14078408fb14ad0acea068a2bdd1cf0f9ffc6c44e6e38721f79d6

Download Submit
C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\SETEA7B.tmp

Filesize
8KB

MD5
ff536154cf4932322ca818eda6712e49

SHA1
873bb1d640cdc9c41596f46fbc37b48a5d6b03cd

SHA256
4c1b4785d35a4828b98b7acacf8b18b0a4e4d0c9da683cd9294f6a6ae6cf7bf2

SHA512
164d9c7eca15fa83aa2645fd4eefbf2a562b49615978b72f6c9c1b072cbdd1bffdc3295d95b69d2cf26dba67f25d6fe82ddbfa6decda07fa855bfa3c2311d7b4

Download Submit
C:\Windows\System32\DriverStore\Temp\{574109bf-0d00-4f48-9de7-6305f565af4c}\SETEABB.tmp

Filesize
75KB

MD5
08a2def8efc2619ddabe13a041703aea

SHA1
f9fd929c77d5a47766623abaa7490bcd98b3ad97

SHA256
a2039b552dfacd4edc2b8ed42bbe32cb0a481240fce18f78aeb1a68dbb747d39

SHA512
0afb5d2dd6747b37162494f4f90387160c5b90c58a71703d2ddd07256e848ee1f3e4237b660d511262255e54038ab11699808526a3574450c9407eb1e830dfac

Download Submit
memory/1624-1563-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/1624-1561-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/1624-1564-0x00000000076F0000-0x0000000007722000-memory.dmp

Filesize
200KB

Download
memory/1624-1562-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4732-1524-0x00000000059C0000-0x0000000005FE8000-memory.dmp

Filesize
6.2MB

Download
memory/4732-1523-0x0000000003060000-0x0000000003096000-memory.dmp

Filesize
216KB

Download
memory/4732-1522-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4732-1527-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/4732-1525-0x0000000005770000-0x0000000005792000-memory.dmp

Filesize
136KB

Download
memory/4732-1526-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/4732-1542-0x0000000007C00000-0x00000000081A4000-memory.dmp

Filesize
5.6MB

Download
memory/4732-1541-0x0000000006AB0000-0x0000000006AD2000-memory.dmp

Filesize
136KB

Download
memory/4732-1540-0x0000000006A60000-0x0000000006A7A000-memory.dmp

Filesize
104KB

Download
memory/4732-1539-0x0000000006AE0000-0x0000000006B76000-memory.dmp

Filesize
600KB

Download
memory/4732-1538-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/4732-1528-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download