f1160a33fb79c764cdc4c023fa700054ae2945ed91880e37348a17c010ca716f

Analysis

max time kernel
300s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nmap-7.93-setup.exe
Size

27.8MB
MD5

f9e753cccea0ffae6871dc65f67d3f89
SHA1

ab2de49f90330cc3b305457a9a0f897f296e95f4
SHA256

f1160a33fb79c764cdc4c023fa700054ae2945ed91880e37348a17c010ca716f
SHA512

0c6f6c14ecf8ef028e6a556f58e720321a7808b0a1f602e019f6b21d9cef970424185c27e7647368d2fca256d47844310d76d626209d406a961d048063410d1d
SSDEEP

786432:eCw4jIIk4AN6o6JWCRCLz4NFMqt9+26UgRY5YYnDEWW:e/T4hJZRCgMkg+5HEv

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET62D1.tmp	NPFInstall.exe
File created	C:\Windows\system32\DRIVERS\SET62D1.tmp	NPFInstall.exe
File opened for modification	C:\Windows\system32\DRIVERS\npcap.sys	NPFInstall.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	nmap.exe

Executes dropped EXE 8 IoCs

pid	Process
4984	npcap-1.71.exe
484	NPFInstall.exe
3312	NPFInstall.exe
1372	NPFInstall.exe
3452	NPFInstall.exe
4492	zenmap.exe
3172	nmap.exe
1936	nmap.exe

Loads dropped DLL 64 IoCs

pid	Process
1280	nmap-7.93-setup.exe
1280	nmap-7.93-setup.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
4984	npcap-1.71.exe
1280	nmap-7.93-setup.exe
1280	nmap-7.93-setup.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
4492	zenmap.exe
3172	nmap.exe
3172	nmap.exe
3172	nmap.exe
3172	nmap.exe
3172	nmap.exe
3172	nmap.exe
3172	nmap.exe
4492	zenmap.exe
1936	nmap.exe
1936	nmap.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\SysWOW64\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\SET5B01.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.71.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\SET5B01.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\SET5B12.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	NPFInstall.exe
File created	C:\Windows\system32\WlanHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.71.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\npcap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b5b1a6e95c9e3ae5\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b5b1a6e95c9e3ae5\NPCAP.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\NPCAP.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\WlanHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Packet.dll	npcap-1.71.exe
File created	C:\Windows\system32\NpcapHelper.exe	npcap-1.71.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\SET5B11.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\SET5B11.tmp	DrvInst.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.71.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Packet.dll	npcap-1.71.exe
File created	C:\Windows\system32\wpcap.dll	npcap-1.71.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.71.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.71.exe
File created	C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\SET5B12.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b5b1a6e95c9e3ae5\npcap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b5b1a6e95c9e3ae5\npcap.PNF	NPFInstall.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nmap\scripts\eppc-enum-processes.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\llmnr-resolve.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\ipOps.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\locale\hi\LC_MESSAGES\zenmap.mo	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libcairo-2.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libpangocairo-1.0-0.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\deluge-rpc-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ovs-agent-version.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\vulners.nse	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\bz2.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\backorifice-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-grep.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\drda.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nping.exe	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\backorifice-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\lpeg.luadoc	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\smb.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\licenses\BSD-modified.txt	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-vuln-cve2014-8877.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\shortport.lua	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\etc\pango\pango.modules	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-cisco-anyconnect.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-gitweb-projects-enum.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nmap.xsl	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\radialnet\logo.png	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\ipp.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\packet.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\informix-tables.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\proxy.lua	nmap-7.93-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\_ctypes.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\snmp-sysdescr.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libcroco-0.6-3.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-listener.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-ospf2-discover.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ftp-proftpd-backdoor.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-barracuda-dir-traversal.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\weblogic-t3-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\nsedebug.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\atk.pyd	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\quake1-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smtp-commands.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\target.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\tns.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\http-fingerprints.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-wordpress-enum.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\rdp-enum-encryption.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\rmi-vuln-classloader.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ssh-brute.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\bittorrent.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libxml2-2.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\sqlite3.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\netbus-auth-bypass.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\oracle-enum-users.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\snmp-win32-users.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\anyconnect.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\mobileme.lua	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\openbsd_75.png	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\socks-auth-info.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\dns-random-srcport.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-vuln-cve2017-5689.nse	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\vl_1_75.png	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\vl_3_32.png	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libgcc_s_dw2-1.dll	nmap-7.93-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-double-pulsar-backdoor.nse	nmap-7.93-setup.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 38 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs .reg file with regedit 1 IoCs

pid	Process
816	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
484	NPFInstall.exe
484	NPFInstall.exe
4776	powershell.exe
4776	powershell.exe
4052	powershell.exe
4052	powershell.exe
1704	msedge.exe
1704	msedge.exe
4212	msedge.exe
4212	msedge.exe
808	identity_helper.exe
808	identity_helper.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	484	NPFInstall.exe
Token: SeAuditPrivilege	2800	svchost.exe
Token: SeSecurityPrivilege	2800	svchost.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeIncreaseQuotaPrivilege	4052	powershell.exe
Token: SeSecurityPrivilege	4052	powershell.exe
Token: SeTakeOwnershipPrivilege	4052	powershell.exe
Token: SeLoadDriverPrivilege	4052	powershell.exe
Token: SeSystemProfilePrivilege	4052	powershell.exe
Token: SeSystemtimePrivilege	4052	powershell.exe
Token: SeProfSingleProcessPrivilege	4052	powershell.exe
Token: SeIncBasePriorityPrivilege	4052	powershell.exe
Token: SeCreatePagefilePrivilege	4052	powershell.exe
Token: SeBackupPrivilege	4052	powershell.exe
Token: SeRestorePrivilege	4052	powershell.exe
Token: SeShutdownPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeSystemEnvironmentPrivilege	4052	powershell.exe
Token: SeRemoteShutdownPrivilege	4052	powershell.exe
Token: SeUndockPrivilege	4052	powershell.exe
Token: SeManageVolumePrivilege	4052	powershell.exe
Token: 33	4052	powershell.exe
Token: 34	4052	powershell.exe
Token: 35	4052	powershell.exe
Token: 36	4052	powershell.exe
Token: SeIncreaseQuotaPrivilege	4052	powershell.exe
Token: SeSecurityPrivilege	4052	powershell.exe
Token: SeTakeOwnershipPrivilege	4052	powershell.exe
Token: SeLoadDriverPrivilege	4052	powershell.exe
Token: SeSystemProfilePrivilege	4052	powershell.exe
Token: SeSystemtimePrivilege	4052	powershell.exe
Token: SeProfSingleProcessPrivilege	4052	powershell.exe
Token: SeIncBasePriorityPrivilege	4052	powershell.exe
Token: SeCreatePagefilePrivilege	4052	powershell.exe
Token: SeBackupPrivilege	4052	powershell.exe
Token: SeRestorePrivilege	4052	powershell.exe
Token: SeShutdownPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeSystemEnvironmentPrivilege	4052	powershell.exe
Token: SeRemoteShutdownPrivilege	4052	powershell.exe
Token: SeUndockPrivilege	4052	powershell.exe
Token: SeManageVolumePrivilege	4052	powershell.exe
Token: 33	4052	powershell.exe
Token: 34	4052	powershell.exe
Token: 35	4052	powershell.exe
Token: 36	4052	powershell.exe
Token: SeIncreaseQuotaPrivilege	4052	powershell.exe
Token: SeSecurityPrivilege	4052	powershell.exe
Token: SeTakeOwnershipPrivilege	4052	powershell.exe
Token: SeLoadDriverPrivilege	4052	powershell.exe
Token: SeSystemProfilePrivilege	4052	powershell.exe
Token: SeSystemtimePrivilege	4052	powershell.exe
Token: SeProfSingleProcessPrivilege	4052	powershell.exe
Token: SeIncBasePriorityPrivilege	4052	powershell.exe
Token: SeCreatePagefilePrivilege	4052	powershell.exe
Token: SeBackupPrivilege	4052	powershell.exe
Token: SeRestorePrivilege	4052	powershell.exe
Token: SeShutdownPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeSystemEnvironmentPrivilege	4052	powershell.exe
Token: SeRemoteShutdownPrivilege	4052	powershell.exe
Token: SeUndockPrivilege	4052	powershell.exe
Token: SeManageVolumePrivilege	4052	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4984	1280	nmap-7.93-setup.exe	92
PID 1280 wrote to memory of 4984	1280	nmap-7.93-setup.exe	92
PID 1280 wrote to memory of 4984	1280	nmap-7.93-setup.exe	92
PID 4984 wrote to memory of 484	4984	npcap-1.71.exe	94
PID 4984 wrote to memory of 484	4984	npcap-1.71.exe	94
PID 4984 wrote to memory of 4412	4984	npcap-1.71.exe	96
PID 4984 wrote to memory of 4412	4984	npcap-1.71.exe	96
PID 4984 wrote to memory of 4412	4984	npcap-1.71.exe	96
PID 4984 wrote to memory of 3780	4984	npcap-1.71.exe	98
PID 4984 wrote to memory of 3780	4984	npcap-1.71.exe	98
PID 4984 wrote to memory of 3780	4984	npcap-1.71.exe	98
PID 4984 wrote to memory of 3312	4984	npcap-1.71.exe	100
PID 4984 wrote to memory of 3312	4984	npcap-1.71.exe	100
PID 3312 wrote to memory of 4400	3312	NPFInstall.exe	103
PID 3312 wrote to memory of 4400	3312	NPFInstall.exe	103
PID 4984 wrote to memory of 1372	4984	npcap-1.71.exe	104
PID 4984 wrote to memory of 1372	4984	npcap-1.71.exe	104
PID 4984 wrote to memory of 3452	4984	npcap-1.71.exe	106
PID 4984 wrote to memory of 3452	4984	npcap-1.71.exe	106
PID 2800 wrote to memory of 2716	2800	svchost.exe	110
PID 2800 wrote to memory of 2716	2800	svchost.exe	110
PID 4984 wrote to memory of 4776	4984	npcap-1.71.exe	111
PID 4984 wrote to memory of 4776	4984	npcap-1.71.exe	111
PID 4984 wrote to memory of 4776	4984	npcap-1.71.exe	111
PID 4984 wrote to memory of 4052	4984	npcap-1.71.exe	113
PID 4984 wrote to memory of 4052	4984	npcap-1.71.exe	113
PID 4984 wrote to memory of 4052	4984	npcap-1.71.exe	113
PID 1280 wrote to memory of 4212	1280	nmap-7.93-setup.exe	118
PID 1280 wrote to memory of 4212	1280	nmap-7.93-setup.exe	118
PID 1280 wrote to memory of 3620	1280	nmap-7.93-setup.exe	119
PID 1280 wrote to memory of 3620	1280	nmap-7.93-setup.exe	119
PID 1280 wrote to memory of 3620	1280	nmap-7.93-setup.exe	119
PID 4212 wrote to memory of 1692	4212	msedge.exe	120
PID 4212 wrote to memory of 1692	4212	msedge.exe	120
PID 3620 wrote to memory of 816	3620	regedt32.exe	121
PID 3620 wrote to memory of 816	3620	regedt32.exe	121
PID 3620 wrote to memory of 816	3620	regedt32.exe	121
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122
PID 4212 wrote to memory of 944	4212	msedge.exe	122

C:\Users\Admin\AppData\Local\Temp\nmap-7.93-setup.exe
"C:\Users\Admin\AppData\Local\Temp\nmap-7.93-setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\npcap-1.71.exe
  "C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\npcap-1.71.exe" /loopback_support=no
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\NPFInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\NPFInstall.exe" -n -check_dll
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:484
- - C:\Windows\SysWOW64\certutil.exe
    certutil -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\roots.p7b"
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\certutil.exe
    certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\signing.p7b"
    3⤵
    PID:3780
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -c
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Windows\SYSTEM32\pnputil.exe
      pnputil.exe -e
      4⤵
      PID:4400
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
    3⤵
    - Executes dropped EXE
    PID:1372
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -i2
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    PID:3452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://npcap.com/#download
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb0,0x108,0x7fff0dac46f8,0x7fff0dac4708,0x7fff0dac4718
    3⤵
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
    3⤵
    PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
    3⤵
    PID:2172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
    3⤵
    PID:1292
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    PID:3316
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:4048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x250,0x254,0x258,0x184,0xe8,0x7ff7370e5460,0x7ff7370e5470,0x7ff7370e5480
      4⤵
      PID:2768
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
    3⤵
    PID:3644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
    3⤵
    PID:2200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
    3⤵
    PID:3720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
    3⤵
    PID:2604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
    3⤵
    PID:4328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11640413671237732134,3373457473641603228,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1940 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4988
- C:\Windows\SysWOW64\regedt32.exe
  regedt32 /S "C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\nmap_performance.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\nmap_performance.reg"
    3⤵
    - Runs .reg file with regedit
    PID:816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{06711878-594f-6847-8021-ca78ab8b02ed}\NPCAP.inf" "9" "405306be3" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Npcap"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:628

C:\Program Files (x86)\Nmap\zenmap.exe
"C:\Program Files (x86)\Nmap\zenmap.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4492
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -T4 -A -v -oX c:\users\admin\appdata\local\temp\zenmap-zjndjs.xml
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3172
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      PID:2372
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -T4 -A -v -oX c:\users\admin\appdata\local\temp\zenmap-unuquk.xml
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1936
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    PID:4692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Npcap\npcap.cat

Filesize
12KB

MD5
be2a59b225dace6a52b98f17678786c0

SHA1
abec30ea6b668f9ccff77209d54b971ce6a22711

SHA256
43d10d470320041e663a82439d79cfac78de99addd98e02c4d60171710d032b2

SHA512
9a9acfe84f822b7f20148725a4abaa51118759f5688d4a3841c4a9e73b59801128adf4df54a14078408fb14ad0acea068a2bdd1cf0f9ffc6c44e6e38721f79d6

Download Submit
C:\PROGRA~1\Npcap\npcap.sys

Filesize
75KB

MD5
08a2def8efc2619ddabe13a041703aea

SHA1
f9fd929c77d5a47766623abaa7490bcd98b3ad97

SHA256
a2039b552dfacd4edc2b8ed42bbe32cb0a481240fce18f78aeb1a68dbb747d39

SHA512
0afb5d2dd6747b37162494f4f90387160c5b90c58a71703d2ddd07256e848ee1f3e4237b660d511262255e54038ab11699808526a3574450c9407eb1e830dfac

Download Submit
C:\Program Files (x86)\Nmap\PYTHON27.DLL

Filesize
2.5MB

MD5
77f43ca8468be239a76a12c2d640f1d9

SHA1
8a30bf4db3e95eecbdc694f501e9d670b76f5019

SHA256
a92dcb68cb58be8fbc695893ab8c9975a37b17f4cf21fc69cf802b48b2b5350e

SHA512
98791cd05b81e5a1daaddb3ddf0cdbb57f38fe4bab1397c2d825cf11d3fcdf4d8cc3a6d8f465cace72a04fea5e5c178e64738c48dc2871c56375a00d6f7dc94c

Download Submit
C:\Program Files (x86)\Nmap\nmap_performance.reg

Filesize
192B

MD5
3cd4a36a0dcc9e0e79d1df1d6cc712df

SHA1
a9b6fe5c0e01aec042e68c2bc700a721c4ecc995

SHA256
e77d7b5158ec99d19e552025facf50f477a2f2b1dc3ef2f198520cfa76e9707f

SHA512
d3d5ab7cc0943dd7ae85445449249109eeb5f871e1c7baf3139cd9e2d3858f70040102dc30b089fc99ee82ebbf99335c2323b1d070552cf7e565a1ac70ef2487

Download Submit
C:\Program Files (x86)\Nmap\py2exe\bz2.pyd

Filesize
69KB

MD5
813c016e2898c6a2c1825b586de0ae61

SHA1
7113efcccb6ab047cdfdb65ba4241980c88196f4

SHA256
693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724

SHA512
dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad

Download Submit
C:\Program Files (x86)\Nmap\py2exe\bz2.pyd

Filesize
69KB

MD5
813c016e2898c6a2c1825b586de0ae61

SHA1
7113efcccb6ab047cdfdb65ba4241980c88196f4

SHA256
693dfc5ccb8555a4183d4e196865ef0a766d7e53087c39059d096d03d6f64724

SHA512
dbb4add301ea127669d5dac4226ce0f5d6e5b2e50773db5c8083a9045a3cba0fcf6ea253a1183a4c87752bd3c5eb84128103a6d8ade71a7e410831b826d323ad

Download Submit
C:\Program Files (x86)\Nmap\py2exe\glib._glib.pyd

Filesize
57KB

MD5
0de636503e43c4eb00e80927bc9bda97

SHA1
a332441ccc490fcfcaf913b657ec9ef5d1ceed08

SHA256
f820c17ae8327aac088cf0f98fef17ef34fce27dda19ad279abbbc1aaac0293c

SHA512
0e9da1a0c643689328e888bade660868b111ab9008c3586fc1595ae990a6763d426779bfee6dfb0451c11bda55f098d413f5eb5e3b163c3cf3bf5feadc26819c

Download Submit
C:\Program Files (x86)\Nmap\py2exe\glib._glib.pyd

Filesize
57KB

MD5
0de636503e43c4eb00e80927bc9bda97

SHA1
a332441ccc490fcfcaf913b657ec9ef5d1ceed08

SHA256
f820c17ae8327aac088cf0f98fef17ef34fce27dda19ad279abbbc1aaac0293c

SHA512
0e9da1a0c643689328e888bade660868b111ab9008c3586fc1595ae990a6763d426779bfee6dfb0451c11bda55f098d413f5eb5e3b163c3cf3bf5feadc26819c

Download Submit
C:\Program Files (x86)\Nmap\py2exe\libglib-2.0-0.dll

Filesize
1.2MB

MD5
18e88b04da123bf05b07ff60a4e96654

SHA1
f46cd8411e579da9f31749809a5707fecb28b7db

SHA256
c0f35b0e5f9b25f36bf9ef885a8135e7dcdb77d425f8ac88124d90cf2bf32fde

SHA512
735158b60194205c6262dae0689599babdc2bd0e10d0d6a71c1e1c56695caf432b207e439b5f84a3995c2d8aef3ab26706cf796848c0af0ddd340d388a76f1d4

Download Submit
C:\Program Files (x86)\Nmap\py2exe\libglib-2.0-0.dll

Filesize
1.2MB

MD5
18e88b04da123bf05b07ff60a4e96654

SHA1
f46cd8411e579da9f31749809a5707fecb28b7db

SHA256
c0f35b0e5f9b25f36bf9ef885a8135e7dcdb77d425f8ac88124d90cf2bf32fde

SHA512
735158b60194205c6262dae0689599babdc2bd0e10d0d6a71c1e1c56695caf432b207e439b5f84a3995c2d8aef3ab26706cf796848c0af0ddd340d388a76f1d4

Download Submit
C:\Program Files (x86)\Nmap\py2exe\libgthread-2.0-0.dll

Filesize
43KB

MD5
7ad6f303082b382bff7bafbab246c61f

SHA1
8d94c4d4b0633a80e28504a3c694dd2bae252854

SHA256
ee2e8485fdbfb2c5626099ccafcdc41ac60414dffd5c6c3befaf786634baf5c3

SHA512
eee840f217ff65b22efd16e78fb898990116efdfb6ee1cbf9d9fb64b9f3209f18860f6477c1df60352fb242671d973dcac043134748f823d210fc393ed4e2598

Download Submit
C:\Program Files (x86)\Nmap\py2exe\libgthread-2.0-0.dll

Filesize
43KB

MD5
7ad6f303082b382bff7bafbab246c61f

SHA1
8d94c4d4b0633a80e28504a3c694dd2bae252854

SHA256
ee2e8485fdbfb2c5626099ccafcdc41ac60414dffd5c6c3befaf786634baf5c3

SHA512
eee840f217ff65b22efd16e78fb898990116efdfb6ee1cbf9d9fb64b9f3209f18860f6477c1df60352fb242671d973dcac043134748f823d210fc393ed4e2598

Download Submit
C:\Program Files (x86)\Nmap\py2exe\library.zip

Filesize
1.1MB

MD5
30f8aa89d164976d86f20c46a425a106

SHA1
a7a8be0f15dddd63e09e3f4dff4f70c34f460d71

SHA256
2f0a1e523dfe2471ac7a67eb581cf11b453607c1ab77bc8163435b89f1cbfdb9

SHA512
f65cb50087470f14f9bea4dd3d3746b598e4dfaa8f98473a404b806ca286885bb0d624bd559d1150e82ba0ca8fb5b98d7dfa4db5841033f5dd07403641394484

Download Submit
C:\Program Files (x86)\Nmap\py2exe\share\icons\hicolor\index.theme

Filesize
21KB

MD5
5138b82a57488ee821b8a38c2aa1420e

SHA1
28a356d5199ba3d64655b81c4d4f2cf950051589

SHA256
a4dfe3c4193014577207c4bbcf9a511238ba6d05665322e253f0fe599290c5fb

SHA512
b3be3d31d7a0b7aaf1269f766e1772fe866d312839ebe3fb2e09e793954be322a2e0160471f86e82c0ba1308227420887d02f9c8a10448cb963d0f6a258ef018

Download Submit
C:\Program Files (x86)\Nmap\py2exe\share\themes\MS-Windows\gtk-2.0\gtkrc

Filesize
1KB

MD5
94d104680cec5f3d8bbec56258d0c926

SHA1
72ede372fcb34b29754f20ad44f49bc8605cf22c

SHA256
e9dd3015f76e05f185ebe7564d364aef8b8168b05e62421c99875e14e4597977

SHA512
cf7d04304fa58e2dd9a8492b31b065c03c1f7ea96ab71d7d3d212eb17436c7c181470c23296fa3f599f1ef56c6b243921ed7f0a92ad3e0a6cd40a5fe857955a9

Download Submit
C:\Program Files (x86)\Nmap\python27.dll

Filesize
2.5MB

MD5
77f43ca8468be239a76a12c2d640f1d9

SHA1
8a30bf4db3e95eecbdc694f501e9d670b76f5019

SHA256
a92dcb68cb58be8fbc695893ab8c9975a37b17f4cf21fc69cf802b48b2b5350e

SHA512
98791cd05b81e5a1daaddb3ddf0cdbb57f38fe4bab1397c2d825cf11d3fcdf4d8cc3a6d8f465cace72a04fea5e5c178e64738c48dc2871c56375a00d6f7dc94c

Download Submit
C:\Program Files (x86)\Nmap\zenmap.exe

Filesize
441KB

MD5
9096cca0244a3f6860e31c32b01830c2

SHA1
f338101391120cb91d7892b9c4f6375557150a43

SHA256
080f3c25e76808357208530dbd45d4bd6b72377e479e4e3d1e68e77d36dd2646

SHA512
298f60583f0dc80a51ebcb70afdeacd6a38cc20b8e438b8fcfe0e7de963be3a66f3d6339b7881d338a2b5cc90b88d30a3d1692f12e7f9a5127604b0f612ed2b5

Download Submit
C:\Program Files (x86)\Nmap\zenmap.exe

Filesize
441KB

MD5
9096cca0244a3f6860e31c32b01830c2

SHA1
f338101391120cb91d7892b9c4f6375557150a43

SHA256
080f3c25e76808357208530dbd45d4bd6b72377e479e4e3d1e68e77d36dd2646

SHA512
298f60583f0dc80a51ebcb70afdeacd6a38cc20b8e438b8fcfe0e7de963be3a66f3d6339b7881d338a2b5cc90b88d30a3d1692f12e7f9a5127604b0f612ed2b5

Download Submit
C:\Program Files (x86)\Nmap\zenmap.exe

Filesize
441KB

MD5
9096cca0244a3f6860e31c32b01830c2

SHA1
f338101391120cb91d7892b9c4f6375557150a43

SHA256
080f3c25e76808357208530dbd45d4bd6b72377e479e4e3d1e68e77d36dd2646

SHA512
298f60583f0dc80a51ebcb70afdeacd6a38cc20b8e438b8fcfe0e7de963be3a66f3d6339b7881d338a2b5cc90b88d30a3d1692f12e7f9a5127604b0f612ed2b5

Download Submit
C:\Program Files\Npcap\NPCAP.inf

Filesize
8KB

MD5
ff536154cf4932322ca818eda6712e49

SHA1
873bb1d640cdc9c41596f46fbc37b48a5d6b03cd

SHA256
4c1b4785d35a4828b98b7acacf8b18b0a4e4d0c9da683cd9294f6a6ae6cf7bf2

SHA512
164d9c7eca15fa83aa2645fd4eefbf2a562b49615978b72f6c9c1b072cbdd1bffdc3295d95b69d2cf26dba67f25d6fe82ddbfa6decda07fa855bfa3c2311d7b4

Download Submit
C:\Program Files\Npcap\NPCAP_wfp.inf

Filesize
2KB

MD5
4b72b37d904cbf298fb8351cc80a048e

SHA1
f77357bd263f88acdb1b5cad300e7b116a1c2ee7

SHA256
953b89b39c78dafb27a05f27bc8faa97c70f2a6ec3bc2f81070a46b85d305f08

SHA512
e63d013ca9badc2d40634c6bdc1629adbade70a65753f317c7e7ac09078ad299105ad6e37fb18a8a6a0b0d994a2ea01c32a55cbc9a19b53466cd49603ee81181

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
393B

MD5
4e7c05ef7cfd4c1345b5a6632c62d6a3

SHA1
87984d04064f9086c54e14282544d4e11f094fe4

SHA256
e047878219bbe833be6351e8db03019187f08f619f9a8d2bea0e73fcc3f51259

SHA512
b8b9ed08d5f6cdc8502e936f9bee809249280d6834e20dc94c64558ee547dc13c7db19237e9e715443371bde6a58b676451c394b033dfc5a3155aaf84708566e

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
656B

MD5
82f1b7cf547e12a337b99aad8715d7de

SHA1
69408d28f97d9f677f2d12ae718e42da6ce84065

SHA256
383e057443296f016bf3f769b242c3c6abf13dce9064fa24d5818f2cb4cc632e

SHA512
890105c5a51bfc53346c278bf040925870218904afd613b2043e1d023f4b58ccc8d2e43fa7baf969f389dda19e502a08d6f0239c2198c71627659ec2a1557354

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
1KB

MD5
8ef094e22b37ccbd8e4559a4ae801d9f

SHA1
f3fdce129d1e743f8d08c9bd870becbdc75c6295

SHA256
4b74d25340336df3d16ae08590e7f0e81174499781e2507be8ca6e8ad70101a7

SHA512
639b52b1253e11a9456ff508f33157edf9b0def79a9d5a5fb4734f00074d8669877f15d24b98954f53e8b82bbec67c058c7fa665540919e3dde13f81ee6442e5

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
2edeced5b181361b268791a67fff90d6

SHA1
fb7e1419595375de673f4b1d2f56fde3432a1d7e

SHA256
f0cf6abb4e3356b8cc773d3e29f49bf71f957fb6366b76b9f8375e7a6e75d21d

SHA512
88d982a5b444859c8dc5af67de660f869fe5a6dc37a1e1f4e55bf044df69c01c96abd6d2a7bdd28d096bc8d59636036db9ff822e3b3c6dd2397621ae73b4199c

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
fc20aff8da9457a2a264e667ccc9e394

SHA1
9dbe923b6548546f34ecb118c08669ff35062a7c

SHA256
c199a3f28eb43e1363a6a5ed4ed201ec6f872de0c67be4cedad1b51ca06c4dda

SHA512
a6a196c4a200f050bf8b99fe264e5c16737f67c44ad6a01d1071e317004bf56693accffd91f9fa394437ddf71d9c294d876399e08cff77d8e799feff7191b18e

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
cb64798c33b552afb7e34ed8877a6d44

SHA1
cb2975accdaa9c24d076c408655a98770efc1d25

SHA256
d5e9fdf05f98014d72e1b22e2f62b407ecc42c4ff18f19d9be437859234440f6

SHA512
46ec415f36b8a26d303145162e5cb82ce699c849b744340a522f14f8f3b79fc795815891ac7644c03e09eae70023271e2c629ea9d1e6fe11b7818ed234edfc87

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
22ccb02fd34fecaede08c33c37ff62f6

SHA1
cee6fb95da5a3e9bc4c2bde344bae5e0eea9c0db

SHA256
c3907c85cf9d4f279f50a5e04c9ebf2c3620c8cbb12aa4abd338cc8fca55493b

SHA512
8be9a5211f0a25a2401077b549f10fb2eae3e86169e6cd900138425d58840841270058a5521b49e70327660f9b16c55eba1ce8c1d0bc11689772ae52af646e5c

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
4KB

MD5
582c02bf9a3047c641394d8e1e11cb56

SHA1
d6d5df460186a1c65e60982c90a1e873ba9d391b

SHA256
056ee214c55804ce3f9af8820f1625ccfa4662c2b25673ff361f35ae0fe1105d

SHA512
e95aea4fbe3ef9b1bdd692b08b429478f80627ca94df17b25b8328243711046c11f4f5bc27fa5efa3b71491b5cbc0a87f988922143d73f918e846a47da938c3d

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
4KB

MD5
1cd9900c53a36c9db33a8c988878cc02

SHA1
54e455ac85c1dc6a4f6b39d92fed0c7ce3185aa6

SHA256
b9337d210f2c9f70fec8acf1557842d7768c910c0be372e9b06c284bf23664ba

SHA512
0aef1a5071b6971b752744ab15c9b2a2eb0f3178c68fc6429e06b7a451e64d110f3bacf45e31592bef69a04465248058522afac3a74f665ed07b6b93462391ae

Download Submit
C:\Users\Admin\.zenmap\scan_profile.usp

Filesize
1KB

MD5
0be64556263f7e7085fa1fd226c9a65a

SHA1
71d87e4ba660a627e8c4d5afc5b0d10fead10443

SHA256
c9854d1d6e4dd51efb7e9cd59a5672ecd96c07ce63d0311368dcc392d0e39e36

SHA512
6f926ae4a516a82fbff8c2255ce0d7b7ec7e82dfbc0cd394ee5522929cad7c51200aa70da54fc9ec65323440753d67a186a39eec7e6295a3e16e2482d6ef6d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
f7b986b8a86a20c0dd8a00ee028cd150

SHA1
e85425d5bdcd07d0e86c43afdf28d553a1fbf876

SHA256
ff94efa40ebb6c8e776160d3ac14b7b8df9a7dff5c27517d63b29e7615f1f13f

SHA512
b5fdb0e77a254e4deddd92de91f34d90767e2f3808415ef82c06382dbc7f5f74dad9ede6a56de3e1062304413dacf659c512676cad558763367184f0c14f4a6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
40d7f2923e4d05046ade9bdd8e2fba8b

SHA1
2fa2fa82d9452c3a8466dcafae1be3bca2d7ffde

SHA256
30a008e6ceb5f1647c31130cee7870608bb9147dfc3747383c6368e0206fdebf

SHA512
1a167f4049e6a3a8a6eb9a7f4fa1d0ffbdc32b9bc2c241bb2729367079eeef9ecb6f593f554e5fa06ea83fa0b92ec68b34e43cafd29b8a2f40cf84371b9c32bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
88a4655a2f2255b0c6fe9393e757f05d

SHA1
2a89052b4fd90b9d5c7201b12dc80ff35875a882

SHA256
3247ac6d3f158b42f602a496e3865c835542f63ac5bb4c2db009c1397548262b

SHA512
126a01270fae296f9bf3d14069412e3273b91d3b4069a16589c5074b93a6ced12a16d09c13272841111f0d6221a01209695e7300a3f45003ddc64cbfd41a982a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eeaf4296b7afa354121376fc6f4ec3f5

SHA1
248fb2167f72af123dc385d46e107b83ffe1764c

SHA256
71d48afed6e68e692814ccac2e2acfa66087259578fb3b523421bc63e0005748

SHA512
39e768a1b769b385d49db40ec5288be744b5047fd6af3b3a081f218eba0b4d51c7ce4a72fa105b84256d893d8768225081c9361bc4ee64859a5e93f1bcb86f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
62c20d37c48a45b09556bdd446fc3aa8

SHA1
b261c623780d0f101ee2ac0dabf5eff77dad127a

SHA256
9c93a461284461edadd1719cc836e819d060a1a290f611efe9e30bd47817eecc

SHA512
863352f9e62899cd9478b2bfbda26ffdf643df42ce3a8071611bdc286f612749422b3716f805bc56f763d6177ccf6f029443367f9af22a2b98aba05b72dc8ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
4c8e037b3197157421c5f1a8714a2eb6

SHA1
abe48af9b7c0649a50106f968e1340d090301ea4

SHA256
13ca34495a6204007b1f39253fa3a0b95ea0eebb15085e258b05882efae94305

SHA512
cc658afbc0d4d8203d5a8001a45bae24e2573b023a8132d47a4fd808523a07cba353922deecdf7355452a5ede91429e6d6205c0647badf02a3c4ece0e36d2635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
d68e90e8b57bff90fef09f8cf5050c0e

SHA1
246d6af13c37474126fa5c704098613fa85bfdb2

SHA256
19ce302f286d6345a8100bfd5c68823d050442bacab1e304b0de2bd3be2494cf

SHA512
c537b05619f438f853ec4757a3471bb577d96c47a9f13f6debc2f19499c3611be4a0508b45c8e34104ed7af231609c08f189a52eff01b20ee2ffc88f743efe30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
2f55021e461cb801da3fec4bffdcb5d6

SHA1
891d1393b2d7a676a4a1a040fe0dafaf04c70aa7

SHA256
60b36461a1efe65362846fdb5ec46024de9e897b277340e0faf32b7330a5d855

SHA512
a03538a3f4a9f101eb45a93c80d6c7ac171d7243be877902c7f9f8ff3b23931768a0a557306fede2514059363f0e6a85c911ab6ded72bdd5431b836d9900996f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
3bd577afbf9cff0365418ea01a98b654

SHA1
8de4091eb276e17c23fc52d541c529c46f727e95

SHA256
8442a137ad25acf99265db684c10436d4a379beb252355d539366e37959a208a

SHA512
1f4874571a09ee737e9512ea462d2965476b3386047d063571e85c18da88daead176a226817469c85a6bfae2fe2812c4fe8fbef778b1e1da48f3533183d50d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
abb1ac2ef70da838e705cf2ff81dc291

SHA1
99df165e90b173c5d7c5f3be60aab49677602635

SHA256
3c395b82b90934b61e5175cd5440d8d11c0c1c18ace64d560e8ef4e144fc0cbb

SHA512
32cbd84a30ea3ab6b22563bb3e7f953e02201e7f44bf4858dcd4689b9dc1d552cee8b0d7c746777c26dc982551064b1f5322e68818ae0c8b5bb46dd179378797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
04a6e81ee3aa8e8f7826ad87bd9c2f4b

SHA1
9bb6cc684670bd32c1bf14af4649f41b79e7044c

SHA256
2dadc7720227505961e338910bc18fe951f967db5e63f8594df49513e8bf8e26

SHA512
65baa34a32429c18228c5d15898f1a78f0ad2dfa4f3beb687c0e5c3e1ca9aa6811955bf4c7e0064d2790d8ba9fb95a12ec64d3ed0cf0e9bf6049c25e5cc3a164

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsyugk0x.xii.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\NPFInstall.exe

Filesize
300KB

MD5
36f0e125cb870ac28cdff861a684f844

SHA1
2e2cdeff8b14ef9146dddb9a659bcc6532c72421

SHA256
0560d98683343995d5f2dd5f2607f7298bd81be7746efa0d212481fbfa76788e

SHA512
144e014e1047ec0bcf96821207bb4138873557a1ff47843f34ee1c33b6ff1d8365de6177a14c5f8088d0a2087142b7a1f56bf7f7aba67bdd83bbb88f3a36507b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\System.dll

Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\final.ini

Filesize
620B

MD5
ef0db0036da2205a978b174204a2fb80

SHA1
1a07cad0eb1be7938b4c7b14030f1e9835a207b7

SHA256
2e37a97d1bb3501cbe6b1075466735f435374cfb49c7b1fc6035049f19b01a5b

SHA512
b1dd267e5856e2991d4fe1153fd363f6d302e3a2ed7573963520085a5b2f107f367e22f84be75820798dd0dd13f050104542df8f60979df303aacada7adce791

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\options.ini

Filesize
2KB

MD5
5c12cb2bec2ac5638afa58c50594efbf

SHA1
f7838c285482781b4b3470a917511e46b2f529a3

SHA256
6be0dbd9dae055bf41c260fa807241f5bd64e270978bc1c56ee133a8ace9ea97

SHA512
e2a67b32fce1aab31850a999842603197fa6a64deab28b1d090f18b2bb5bb3c01bae93fc97ba0edc0e1d45fb74878d55dfeef3d051d301bd079b4314003f7b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\options.ini

Filesize
2KB

MD5
03a2a4aeafe901294ca3093be1b3dd40

SHA1
c1334c4895f8e7a1e437562e65917ffea67aa89b

SHA256
95c8d9206ea3f571bd78d45b180a56f3d304d02b5bedd79eb138bc83e7f803bf

SHA512
3890fa4894ea96c6cb10e499b2e85d13a334236ff878e2f6c128e83239ec8a50b31c03c389d4733b15576e8b7333bc3f379c687b9f3bc835d80d81b72543be5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\roots.p7b

Filesize
1KB

MD5
397a5848d3696fc6ba0823088fea83db

SHA1
9189985f027de80d4882ab5e01604c59d6fc1f16

SHA256
ad3bca6f2b0ec032c7f1fe1adb186bd73be6a332c868bf16c9765087fff1c1ca

SHA512
66129a206990753967cd98c14a0a3e0e2a73bc4cd10cf84a5a05da7bf20719376989d64c6c7880a3e4754fc74653dd49f2ffeffd55fc4ee5966f65beb857118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscDB24.tmp\signing.p7b

Filesize
7KB

MD5
dd4bc901ef817319791337fb345932e8

SHA1
f8a3454a09d90a09273935020c1418fdb7b7eb7c

SHA256
8e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71

SHA512
0a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\InstallOptions.dll

Filesize
22KB

MD5
17c877fec39fc8ce03b7f012ef25211f

SHA1
61adfa25cbd51375f0355aa9b895e1dc28389e19

SHA256
dbb0173bb09d64ca716b3fd9efb0222ecc7c13c11978d29f2b61cf550bcd7aba

SHA512
45c44c91bf72d058fcba93e7d96b45fcc3dc06855b86eca0f463aa4eeafc7e68493e33663c68fd3fdceed51dd0e76d3493c47da68a3efdc25af9e78c2643d29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\final.ini

Filesize
618B

MD5
264044f8ab471dcbf6ec669431ae8103

SHA1
81ddd4f943f98121b98704c2d03d69f4d4105e85

SHA256
0350f28276ecd0a0165878773249733fe9c65aa22e0207ad4bea43914da79cc3

SHA512
50361b46e2e3d1131d4c888a643be708023c9d9ee340df5139ec9e556acf801196fcc56bedffe69786f88446fe5d97879a34a96b734fc2997d71b203003cea8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\nmap_performance.reg

Filesize
192B

MD5
3cd4a36a0dcc9e0e79d1df1d6cc712df

SHA1
a9b6fe5c0e01aec042e68c2bc700a721c4ecc995

SHA256
e77d7b5158ec99d19e552025facf50f477a2f2b1dc3ef2f198520cfa76e9707f

SHA512
d3d5ab7cc0943dd7ae85445449249109eeb5f871e1c7baf3139cd9e2d3858f70040102dc30b089fc99ee82ebbf99335c2323b1d070552cf7e565a1ac70ef2487

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\npcap-1.71.exe

Filesize
1.1MB

MD5
40cfea6d5a3ff15caf6dd4ae88a012b2

SHA1
287b229cecf54ea110a8b8422dcda20922bdf65e

SHA256
5ccb61296c48e3f8cd20db738784bd7bf0daf8fce630f89892678b6dda4e533c

SHA512
6ac4955286a4927ce43f7e85783631c9a801605c89a18ba95dde34d90eecbf4825b09e116890c8aca8defff767ad14843303dd557a67636bed1f1709b5399024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\npcap-1.71.exe

Filesize
1.1MB

MD5
40cfea6d5a3ff15caf6dd4ae88a012b2

SHA1
287b229cecf54ea110a8b8422dcda20922bdf65e

SHA256
5ccb61296c48e3f8cd20db738784bd7bf0daf8fce630f89892678b6dda4e533c

SHA512
6ac4955286a4927ce43f7e85783631c9a801605c89a18ba95dde34d90eecbf4825b09e116890c8aca8defff767ad14843303dd557a67636bed1f1709b5399024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\shortcuts.ini

Filesize
452B

MD5
4a0bbe8383346a2146fa07b5025c30f5

SHA1
2205fe641f61731d4f7f12ca067c77b0982d77ff

SHA256
8d9cc8e0073c30116218d0630063591063666b0d74efccbe4604341766bebab8

SHA512
2c095366310ca58e1586b339b9ce5f5b990e3015611923fb34ce444e006f90bfdb1591bcea6c867eb69eb8811dd2b401a7faed015a58d7b1a14397979cce9874

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl7E9D.tmp\shortcuts.ini

Filesize
522B

MD5
23b9404528c83e9e654a1ede0df994f7

SHA1
3715a0f8db07c0a2c1a3a8e0270f4562436ea44e

SHA256
924790928604f3670b6d5ea123fa0e8068e910d74733a3a1e60cd7828223476a

SHA512
0335040099a7a0161cfb765f1f2301ded667cbcec0e2f141c1e6a263b11eaddc7885b53e85c76c806010f6d6b1b92336bb49f69a820a08e892f0c13bdbae91ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\{06711878-594f-6847-8021-ca78ab8b02ed}\NPCAP.inf

Filesize
8KB

MD5
ff536154cf4932322ca818eda6712e49

SHA1
873bb1d640cdc9c41596f46fbc37b48a5d6b03cd

SHA256
4c1b4785d35a4828b98b7acacf8b18b0a4e4d0c9da683cd9294f6a6ae6cf7bf2

SHA512
164d9c7eca15fa83aa2645fd4eefbf2a562b49615978b72f6c9c1b072cbdd1bffdc3295d95b69d2cf26dba67f25d6fe82ddbfa6decda07fa855bfa3c2311d7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{06711~1\npcap.cat

Filesize
12KB

MD5
be2a59b225dace6a52b98f17678786c0

SHA1
abec30ea6b668f9ccff77209d54b971ce6a22711

SHA256
43d10d470320041e663a82439d79cfac78de99addd98e02c4d60171710d032b2

SHA512
9a9acfe84f822b7f20148725a4abaa51118759f5688d4a3841c4a9e73b59801128adf4df54a14078408fb14ad0acea068a2bdd1cf0f9ffc6c44e6e38721f79d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{06711~1\npcap.sys

Filesize
75KB

MD5
08a2def8efc2619ddabe13a041703aea

SHA1
f9fd929c77d5a47766623abaa7490bcd98b3ad97

SHA256
a2039b552dfacd4edc2b8ed42bbe32cb0a481240fce18f78aeb1a68dbb747d39

SHA512
0afb5d2dd6747b37162494f4f90387160c5b90c58a71703d2ddd07256e848ee1f3e4237b660d511262255e54038ab11699808526a3574450c9407eb1e830dfac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
cc1bfe8aa40d1628b2505f6f3acb72cb

SHA1
7bce5b9b813ad720a0a7ac7f62aec24b59a9893d

SHA256
afac604c7ee331cf17b2bd0f6d814de4236f72fec0969984127f3876f5722730

SHA512
82327436c485c5d8a5a72e6fc3d004843bb6a0f19673691d054e6d5e7f1593caf11fa048452f7bd4122e18b4fe95c3146b1e5d1c9c1b2893a79cd1ea179594b0

Download Submit
C:\Windows\INF\oem3.inf

Filesize
8KB

MD5
ff536154cf4932322ca818eda6712e49

SHA1
873bb1d640cdc9c41596f46fbc37b48a5d6b03cd

SHA256
4c1b4785d35a4828b98b7acacf8b18b0a4e4d0c9da683cd9294f6a6ae6cf7bf2

SHA512
164d9c7eca15fa83aa2645fd4eefbf2a562b49615978b72f6c9c1b072cbdd1bffdc3295d95b69d2cf26dba67f25d6fe82ddbfa6decda07fa855bfa3c2311d7b4

Download Submit
C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b5b1a6e95c9e3ae5\npcap.inf

Filesize
8KB

MD5
ff536154cf4932322ca818eda6712e49

SHA1
873bb1d640cdc9c41596f46fbc37b48a5d6b03cd

SHA256
4c1b4785d35a4828b98b7acacf8b18b0a4e4d0c9da683cd9294f6a6ae6cf7bf2

SHA512
164d9c7eca15fa83aa2645fd4eefbf2a562b49615978b72f6c9c1b072cbdd1bffdc3295d95b69d2cf26dba67f25d6fe82ddbfa6decda07fa855bfa3c2311d7b4

Download Submit
C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\SET5B01.tmp

Filesize
12KB

MD5
be2a59b225dace6a52b98f17678786c0

SHA1
abec30ea6b668f9ccff77209d54b971ce6a22711

SHA256
43d10d470320041e663a82439d79cfac78de99addd98e02c4d60171710d032b2

SHA512
9a9acfe84f822b7f20148725a4abaa51118759f5688d4a3841c4a9e73b59801128adf4df54a14078408fb14ad0acea068a2bdd1cf0f9ffc6c44e6e38721f79d6

Download Submit
C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\SET5B11.tmp

Filesize
8KB

MD5
ff536154cf4932322ca818eda6712e49

SHA1
873bb1d640cdc9c41596f46fbc37b48a5d6b03cd

SHA256
4c1b4785d35a4828b98b7acacf8b18b0a4e4d0c9da683cd9294f6a6ae6cf7bf2

SHA512
164d9c7eca15fa83aa2645fd4eefbf2a562b49615978b72f6c9c1b072cbdd1bffdc3295d95b69d2cf26dba67f25d6fe82ddbfa6decda07fa855bfa3c2311d7b4

Download Submit
C:\Windows\System32\DriverStore\Temp\{7627aace-9699-5342-9b8c-a9d2ce28801a}\SET5B12.tmp

Filesize
75KB

MD5
08a2def8efc2619ddabe13a041703aea

SHA1
f9fd929c77d5a47766623abaa7490bcd98b3ad97

SHA256
a2039b552dfacd4edc2b8ed42bbe32cb0a481240fce18f78aeb1a68dbb747d39

SHA512
0afb5d2dd6747b37162494f4f90387160c5b90c58a71703d2ddd07256e848ee1f3e4237b660d511262255e54038ab11699808526a3574450c9407eb1e830dfac

Download Submit
memory/4052-1444-0x0000000004710000-0x0000000004720000-memory.dmp

Filesize
64KB

Download
memory/4052-1448-0x0000000006E60000-0x0000000006E92000-memory.dmp

Filesize
200KB

Download
memory/4052-1447-0x0000000004710000-0x0000000004720000-memory.dmp

Filesize
64KB

Download
memory/4052-1445-0x0000000004710000-0x0000000004720000-memory.dmp

Filesize
64KB

Download
memory/4492-2148-0x0000000065340000-0x0000000065377000-memory.dmp

Filesize
220KB

Download
memory/4492-2144-0x0000000068DC0000-0x0000000068DE4000-memory.dmp

Filesize
144KB

Download
memory/4492-2152-0x000000006D4C0000-0x000000006D4D4000-memory.dmp

Filesize
80KB

Download
memory/4492-2210-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/4492-2196-0x000000006C340000-0x000000006C3F3000-memory.dmp

Filesize
716KB

Download
memory/4492-2177-0x0000000068180000-0x00000000681BA000-memory.dmp

Filesize
232KB

Download
memory/4492-2178-0x0000000061DC0000-0x0000000061DCC000-memory.dmp

Filesize
48KB

Download
memory/4492-2179-0x0000000062D40000-0x0000000062D54000-memory.dmp

Filesize
80KB

Download
memory/4492-2120-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/4492-2122-0x0000000002740000-0x000000000277C000-memory.dmp

Filesize
240KB

Download
memory/4492-2123-0x0000000000710000-0x0000000000728000-memory.dmp

Filesize
96KB

Download
memory/4492-2176-0x0000000065880000-0x00000000658A2000-memory.dmp

Filesize
136KB

Download
memory/4492-2174-0x0000000000710000-0x0000000000728000-memory.dmp

Filesize
96KB

Download
memory/4492-2140-0x000000006A900000-0x000000006A916000-memory.dmp

Filesize
88KB

Download
memory/4492-2141-0x00000000685C0000-0x00000000686C6000-memory.dmp

Filesize
1.0MB

Download
memory/4492-2142-0x0000000065C40000-0x0000000065C4E000-memory.dmp

Filesize
56KB

Download
memory/4492-2150-0x0000000061780000-0x0000000061B3B000-memory.dmp

Filesize
3.7MB

Download
memory/4492-2173-0x0000000002740000-0x000000000277C000-memory.dmp

Filesize
240KB

Download
memory/4492-2146-0x0000000064740000-0x0000000064912000-memory.dmp

Filesize
1.8MB

Download
memory/4492-2145-0x0000000063A40000-0x0000000063A85000-memory.dmp

Filesize
276KB

Download
memory/4492-2147-0x000000006C340000-0x000000006C3F3000-memory.dmp

Filesize
716KB

Download
memory/4492-2175-0x000000006B8C0000-0x000000006B908000-memory.dmp

Filesize
288KB

Download
memory/4492-2149-0x000000006D580000-0x000000006D651000-memory.dmp

Filesize
836KB

Download
memory/4492-2172-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/4492-2143-0x000000006A300000-0x000000006A323000-memory.dmp

Filesize
140KB

Download
memory/4492-2151-0x0000000065580000-0x00000000655C2000-memory.dmp

Filesize
264KB

Download
memory/4492-2153-0x000000006DD00000-0x000000006DD0D000-memory.dmp

Filesize
52KB

Download
memory/4492-2154-0x0000000062E80000-0x0000000062E9F000-memory.dmp

Filesize
124KB

Download
memory/4492-2155-0x0000000062940000-0x0000000062960000-memory.dmp

Filesize
128KB

Download
memory/4492-2156-0x000000006B280000-0x000000006B296000-memory.dmp

Filesize
88KB

Download
memory/4492-2166-0x000000006D700000-0x000000006D7B6000-memory.dmp

Filesize
728KB

Download
memory/4492-2170-0x000000006A800000-0x000000006A879000-memory.dmp

Filesize
484KB

Download
memory/4492-2167-0x0000000064F80000-0x0000000064FC2000-memory.dmp

Filesize
264KB

Download
memory/4492-2171-0x0000000068F40000-0x0000000068F63000-memory.dmp

Filesize
140KB

Download
memory/4776-1409-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4776-1408-0x0000000005550000-0x0000000005B78000-memory.dmp

Filesize
6.2MB

Download
memory/4776-1427-0x0000000007940000-0x0000000007EE4000-memory.dmp

Filesize
5.6MB

Download
memory/4776-1426-0x00000000067D0000-0x00000000067F2000-memory.dmp

Filesize
136KB

Download
memory/4776-1410-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4776-1411-0x00000000053C0000-0x00000000053E2000-memory.dmp

Filesize
136KB

Download
memory/4776-1412-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/4776-1413-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/4776-1423-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/4776-1424-0x0000000006800000-0x0000000006896000-memory.dmp

Filesize
600KB

Download
memory/4776-1425-0x0000000006780000-0x000000000679A000-memory.dmp

Filesize
104KB

Download
memory/4776-1407-0x0000000002D90000-0x0000000002DC6000-memory.dmp

Filesize
216KB

Download