aa7f639048e93e2a842f94d592dcc4334d16dd583fe849cc88bbb97f5f0b8997

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spoofer-1.4.12-win32.exe
Size

16.4MB
MD5

190f8d40317a803cc9f85dc556dc5e5a
SHA1

d30e05e0d45e3317718872b938b3f4bec68629bd
SHA256

aa7f639048e93e2a842f94d592dcc4334d16dd583fe849cc88bbb97f5f0b8997
SHA512

fb7bf3b4e658db6de607670907e8089bca5898f9c3f6e9e31ec9c29afc5af26cde388935cee60f41ec3836c7f90c6caa78c785bfdc23e497a1ee99c0a374d80a
SSDEEP

393216:m6NDjZxu6GiVEBqFz8BMK5rV123ebF7JAzfI88+PXGPd/Do:3ZhGi8qp8BM2rVAuZ2ImiDo

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Drops file in Drivers directory 1 IoCs

Processes:

WinPcap_4_1_3.exe

description ioc process

File created C:\Windows\system32\drivers\npf.sys WinPcap_4_1_3.exe

description	ioc	process
File created	C:\Windows\system32\drivers\npf.sys	WinPcap_4_1_3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Spoofer-1.4.12-win32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	Spoofer-1.4.12-win32.exe

Drops file in System32 directory 5 IoCs

Processes:

WinPcap_4_1_3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\pthreadVC.dll	WinPcap_4_1_3.exe
File created	C:\Windows\SysWOW64\Packet.dll	WinPcap_4_1_3.exe
File created	C:\Windows\system32\wpcap.dll	WinPcap_4_1_3.exe
File created	C:\Windows\system32\Packet.dll	WinPcap_4_1_3.exe
File created	C:\Windows\SysWOW64\wpcap.dll	WinPcap_4_1_3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 18 IoCs

Processes:

Spoofer-1.4.12-win32.exeWinPcap_4_1_3.exe

description	ioc	process
File created	C:\Program Files (x86)\Spoofer\uninstall.exe	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\Spoofer\CHANGES.txt	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\WinPcap\WinPcapInstall.dll	WinPcap_4_1_3.exe
File opened for modification	C:\Program Files (x86)\Spoofer\shortcuts.ini	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\Spoofer\scamper.exe	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\Spoofer\firewall.vbs	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\Spoofer\restore.exe	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\Spoofer\spoofer-prober.exe	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\Spoofer\spoofer-gui.exe	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\Spoofer\README.txt	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\WinPcap\rpcapd.exe	WinPcap_4_1_3.exe
File created	C:\Program Files (x86)\WinPcap\Uninstall.exe	WinPcap_4_1_3.exe
File opened for modification	C:\Program Files (x86)\WinPcap\WinPcapInstall.dll	WinPcap_4_1_3.exe
File created	C:\Program Files (x86)\Spoofer\spoofer-cli.exe	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\Spoofer\THANKS.txt	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\Spoofer\LICENSE.txt	Spoofer-1.4.12-win32.exe
File created	C:\Program Files (x86)\WinPcap\install.log	WinPcap_4_1_3.exe

Executes dropped EXE 7 IoCs

Processes:

WinPcap_4_1_3.exespoofer-scheduler.exespoofer-scheduler.exespoofer-scheduler.exespoofer-gui.exespoofer-prober.exescamper.exe

pid	process
3496	WinPcap_4_1_3.exe
4452	spoofer-scheduler.exe
2456	spoofer-scheduler.exe
4836	spoofer-scheduler.exe
1020	spoofer-gui.exe
5068	spoofer-prober.exe
4852	scamper.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2036 sc.exe
552 sc.exe
1612 sc.exe
1348 sc.exe

pid	process
2036	sc.exe
552	sc.exe
1612	sc.exe
1348	sc.exe

Loads dropped DLL 31 IoCs

Processes:

Spoofer-1.4.12-win32.exeWinPcap_4_1_3.exespoofer-prober.exe

pid	process
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
3496	WinPcap_4_1_3.exe
3496	WinPcap_4_1_3.exe
3496	WinPcap_4_1_3.exe
3496	WinPcap_4_1_3.exe
3496	WinPcap_4_1_3.exe
3496	WinPcap_4_1_3.exe
3496	WinPcap_4_1_3.exe
3496	WinPcap_4_1_3.exe
3496	WinPcap_4_1_3.exe
3496	WinPcap_4_1_3.exe
3496	WinPcap_4_1_3.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5112	Spoofer-1.4.12-win32.exe
5068	spoofer-prober.exe
5068	spoofer-prober.exe
5068	spoofer-prober.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsnBF4B.tmp\WinPcap_4_1_3.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsnBF4B.tmp\WinPcap_4_1_3.exe	nsis_installer_2

Modifies data under HKEY_USERS 4 IoCs

Processes:

spoofer-prober.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	spoofer-prober.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	spoofer-prober.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	spoofer-prober.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	spoofer-prober.exe

Modifies registry class 1 IoCs

Processes:

Spoofer-1.4.12-win32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings Spoofer-1.4.12-win32.exe
Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

spoofer-gui.exe

pid process

1020 spoofer-gui.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

spoofer-gui.exe

pid process

1020 spoofer-gui.exe
Suspicious behavior: LoadsDriver 11 IoCs

Processes:

pid process

668
668
668
668
668
668
668
668
668
668
668
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

spoofer-scheduler.exespoofer-gui.exe

pid process

2456 spoofer-scheduler.exe
1020 spoofer-gui.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	Spoofer-1.4.12-win32.exe

pid	process
1020	spoofer-gui.exe

pid	process
1020	spoofer-gui.exe

pid	process
668
668
668
668
668
668
668
668
668
668
668

pid	process
2456	spoofer-scheduler.exe
1020	spoofer-gui.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

Spoofer-1.4.12-win32.exeWinPcap_4_1_3.exenet.exespoofer-scheduler.exespoofer-prober.exe

description	pid	process	target process
PID 5112 wrote to memory of 3496	5112	Spoofer-1.4.12-win32.exe	WinPcap_4_1_3.exe
PID 5112 wrote to memory of 3496	5112	Spoofer-1.4.12-win32.exe	WinPcap_4_1_3.exe
PID 5112 wrote to memory of 3496	5112	Spoofer-1.4.12-win32.exe	WinPcap_4_1_3.exe
PID 3496 wrote to memory of 4008	3496	WinPcap_4_1_3.exe	net.exe
PID 3496 wrote to memory of 4008	3496	WinPcap_4_1_3.exe	net.exe
PID 3496 wrote to memory of 4008	3496	WinPcap_4_1_3.exe	net.exe
PID 4008 wrote to memory of 3752	4008	net.exe	net1.exe
PID 4008 wrote to memory of 3752	4008	net.exe	net1.exe
PID 4008 wrote to memory of 3752	4008	net.exe	net1.exe
PID 5112 wrote to memory of 3216	5112	Spoofer-1.4.12-win32.exe	cscript.exe
PID 5112 wrote to memory of 3216	5112	Spoofer-1.4.12-win32.exe	cscript.exe
PID 5112 wrote to memory of 3216	5112	Spoofer-1.4.12-win32.exe	cscript.exe
PID 5112 wrote to memory of 4452	5112	Spoofer-1.4.12-win32.exe	spoofer-scheduler.exe
PID 5112 wrote to memory of 4452	5112	Spoofer-1.4.12-win32.exe	spoofer-scheduler.exe
PID 5112 wrote to memory of 4452	5112	Spoofer-1.4.12-win32.exe	spoofer-scheduler.exe
PID 5112 wrote to memory of 2036	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 2036	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 2036	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 552	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 552	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 552	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 1612	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 1612	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 1612	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 1348	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 1348	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 1348	5112	Spoofer-1.4.12-win32.exe	sc.exe
PID 5112 wrote to memory of 4836	5112	Spoofer-1.4.12-win32.exe	spoofer-scheduler.exe
PID 5112 wrote to memory of 4836	5112	Spoofer-1.4.12-win32.exe	spoofer-scheduler.exe
PID 5112 wrote to memory of 4836	5112	Spoofer-1.4.12-win32.exe	spoofer-scheduler.exe
PID 5112 wrote to memory of 768	5112	Spoofer-1.4.12-win32.exe	NOTEPAD.EXE
PID 5112 wrote to memory of 768	5112	Spoofer-1.4.12-win32.exe	NOTEPAD.EXE
PID 5112 wrote to memory of 768	5112	Spoofer-1.4.12-win32.exe	NOTEPAD.EXE
PID 5112 wrote to memory of 1020	5112	Spoofer-1.4.12-win32.exe	spoofer-gui.exe
PID 5112 wrote to memory of 1020	5112	Spoofer-1.4.12-win32.exe	spoofer-gui.exe
PID 5112 wrote to memory of 1020	5112	Spoofer-1.4.12-win32.exe	spoofer-gui.exe
PID 2456 wrote to memory of 5068	2456	spoofer-scheduler.exe	spoofer-prober.exe
PID 2456 wrote to memory of 5068	2456	spoofer-scheduler.exe	spoofer-prober.exe
PID 2456 wrote to memory of 5068	2456	spoofer-scheduler.exe	spoofer-prober.exe
PID 5068 wrote to memory of 4852	5068	spoofer-prober.exe	scamper.exe
PID 5068 wrote to memory of 4852	5068	spoofer-prober.exe	scamper.exe
PID 5068 wrote to memory of 4852	5068	spoofer-prober.exe	scamper.exe

C:\Users\Admin\AppData\Local\Temp\Spoofer-1.4.12-win32.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer-1.4.12-win32.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\nsnBF4B.tmp\WinPcap_4_1_3.exe
"C:\Users\Admin\AppData\Local\Temp\nsnBF4B.tmp\WinPcap_4_1_3.exe"
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\net.exe
net start npf
3⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start npf
4⤵
PID:3752

C:\Windows\SysWOW64\cscript.exe
"cscript.exe" /nologo "C:\Program Files (x86)\Spoofer\firewall.vbs" install
2⤵
PID:3216

C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe
"C:\Program Files (x86)\Spoofer\spoofer-scheduler" --init
2⤵
- Executes dropped EXE
PID:4452

C:\Windows\SysWOW64\sc.exe
"sc" create spoofer-scheduler binPath= "\"C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe\"" depend= tcpip DisplayName= "Spoofer Scheduler"
2⤵
- Launches sc.exe
PID:2036

C:\Windows\SysWOW64\sc.exe
"sc" description spoofer-scheduler "The spoofer client is part of a system to measure the Internet's resistance to packets with a spoofed (forged) source IP address. Visit https://spoofer.caida.org/ for more information."
2⤵
- Launches sc.exe
PID:552

C:\Windows\SysWOW64\sc.exe
"sc" config spoofer-scheduler start= auto
2⤵
- Launches sc.exe
PID:1612

C:\Windows\SysWOW64\sc.exe
"sc" start spoofer-scheduler
2⤵
- Launches sc.exe
PID:1348

C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe
"C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe" --check-settings
2⤵
- Executes dropped EXE
PID:4836

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Spoofer\README.txt
2⤵
PID:768

C:\Program Files (x86)\Spoofer\spoofer-gui.exe
"C:\Program Files (x86)\Spoofer/spoofer-gui.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1020

C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe
"C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456

C:\Program Files (x86)\Spoofer\spoofer-prober.exe
"C:\Program Files (x86)\Spoofer\spoofer-prober" -s1 -r1 -4 -6 -U 10412900
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:5068

C:\Program Files (x86)\Spoofer\scamper.exe
"C:\Program Files (x86)\Spoofer\scamper.exe" "-c" "trace -P icmp-paris -q 1 -w 1" "-i" 127.0.0.1
3⤵
- Executes dropped EXE
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Spoofer\README.txt

Filesize
2KB

MD5
989526391fc1cbe35f416900e4a1021e

SHA1
38c1db300174ccadea13eefded91885dfe3fc2da

SHA256
e901c65d43e3f7ec295945fc36a969f5e689f7767d05c4df52d4077494881b20

SHA512
06d7463cab98f04661c0e6fd76756fdb8b3438560693147e5831d5814715fb6f1756f2243f969741e06726cd470da51eea29d034cfc1e18eba81e5a04e9bc5a8

Download Submit
C:\Program Files (x86)\Spoofer\firewall.vbs

Filesize
7KB

MD5
c3968ffa8424213e2e6310acb096dca3

SHA1
0b2d19d0d88dbe60e0d83b8e400d3aad42713e1f

SHA256
81b19ab7f09ef712e30c43c94f9ce5997eeae920036180d597d0c251dbb95f9d

SHA512
b9198890f6ec781ebfe177839749dc50491b1e42d04ba6cde1d056c053cd6516e1c8e555800354ebf7ac5135efc3356c5d7249940c59e21fd40086d0b63f381c

Download Submit
C:\Program Files (x86)\Spoofer\scamper.exe

Filesize
562KB

MD5
1650501263db72ccd9a49052a0bc3779

SHA1
2118068d8ad8a36005cc459cbeb88d5dd869e0cf

SHA256
66eff9a868c58c87304c793215342596f0340326ce240f8889a6535c314cec90

SHA512
8887df0cff41da2508d3b91f9563c445fcae06d974124ab73eec692aa10dce6cd90cd7291c1e723c02dcde10d945dcdce5fee98cc2eeb57bd40507718fd92313

Download Submit
C:\Program Files (x86)\Spoofer\spoofer-gui.exe

Filesize
15.4MB

MD5
1cebd49aff235e71aff3a61af6c858cb

SHA1
a2d52c0551e8733596def57c245dda9412f3b1a5

SHA256
ea6736954b9419b97ac26ee2ce6d6ad0306ee22d66129f36015a7fce7a3b51a4

SHA512
d4a257b7c049c46384969400fc68835ac87efc6401aa63f0bc1f0afb2b99fedcd579686f37f7465d153a4c15ed38f099778b36b8b5aecb7d2ed69ea75e570e6c

Download Submit
C:\Program Files (x86)\Spoofer\spoofer-prober.exe

Filesize
3.9MB

MD5
0d44f3d45865cf66568b9ce024d499d0

SHA1
5eaf990e07bda43685939ac45c71be05efdb4faf

SHA256
2bd691977c54e5bb4a16385c4345fafd60f1482bcea5cca19727037eb967104d

SHA512
2e8a2e4242175804b3458433f3fba5b225a0eeb4996da2ea83b44b6df7bca77207d81d17675522074994e0ea5be4d469aec49b2e2ae5ee3f2d87688511e68eb3

Download Submit
C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe

Filesize
7.9MB

MD5
2b571ef2d50ed9f42d09a34899358b17

SHA1
81c1bef20a6f57695199558dee6e0b02c78ff473

SHA256
4a0b7ca3b39fa30914f0117d87dcf636490bb590f1e35a86689982b5ec3848a7

SHA512
8302d6862eb5f4aa6a376dd46e68e780038aef6a570f39e315210e03de203bda0c35c5565283920d3a4fef1b3a99f6cbaf2160791f77d54444d9c207dea394b3

Download Submit
C:\Program Files (x86)\WinPcap\WinPcapInstall.dll

Filesize
91KB

MD5
e78291558cb803dfd091ad8fb56feecc

SHA1
4bde2f87e903fe8d3bd80179c5584cec7a8cbdc4

SHA256
d9f4cd9f0e1bc9a138fb4da6f83c92c3e86eb3de4f988d5943d75c9b1dc6bb9d

SHA512
042b96bc2c0e6d8b6e2730426938eb7400fd833be8a108a4942f559fedefabc35fd5dcb7ea1898d377b4382c0a9af8eeeebd663a4c852c706e3bd168c1f1f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscF27F.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscF27F.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscF27F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscF27F.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscF27F.tmp\bootOptions.ini

Filesize
349B

MD5
73461ff69941beefb0f5630b29b5ae2e

SHA1
f8f33b309db03f1bc5a9fd452150245474c000f1

SHA256
81a27757de2fa404014be9a73f502537628f82a3da3f809b1ff5584a828910b8

SHA512
38b3a21683bb30cc301406e2f12d0cf916299a4618af552f9e01b1b0fecddf22c79e37f7aaf3f2a85706a263049d10c17ccc417fa9c07f8b74c28284a02da460

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscF27F.tmp\bootOptions.ini

Filesize
371B

MD5
f21732573f3120af19bc694effe12335

SHA1
38af078de425cb40be9dabddbc8263b8ca093862

SHA256
a76b6c3ec4228a47be2a12363172d7be748dfa19f65ca034b73bd674992b3a68

SHA512
be3a2689a703d79ffa6cddae0640896da85ecf879f7607760b2cb2dcef64da279dc06b1dc1e56cd63677cdbcb2aba1344263d6fff802d70f8f76b542e748ebab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscF27F.tmp\ioSpecial.ini

Filesize
556B

MD5
1176781ff441f3faa3275a2df4adcb9f

SHA1
be7e8f0eb6e2597f339446849540bce8d8770254

SHA256
5f823ca0ba430311825e058001f855776a22bf48749c700cbb1eb376abdedfda

SHA512
9bd233ba55ae798b93c5308b4f7bc7660135cfa30922e02e2ce331b8372f2b3db35a389ae0212c7f6b2538313073abdc20ff93550416373bfc79decc2cd110a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscF27F.tmp\ioSpecial.ini

Filesize
556B

MD5
cce0b9fdd86abb260e268fa0bc1faa25

SHA1
3ca6aabec67cddb822cf43c29b75fef98317a389

SHA256
5c1cd5a13c859e23aaabcfaa4fee6933231abe8fe2ff4cfb5cbda7c4dc41180c

SHA512
00b64e98e265f0234f986fe1e3c4bb582fb884f43496beb7655568f25ff8221e70dfe960bf2618616f853a67a272a3476ad7769dbf91c9a2135617f57a23c9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscF27F.tmp\ioSpecial.ini

Filesize
556B

MD5
1fb7e9c2c712bec1eee9889355efcedc

SHA1
ddd42d4e2b58229031b0da3ea0d8cb8d173f38db

SHA256
cde3ca91bb1b63cddab3f7ddb4c2ba38ec1a5e65edb1ba503f435fdd3c59f3cd

SHA512
983920ed0888f3b070090abe1859959f66a285665d0539e63abbd306d2bc68aa42c434daf9c4c6969c9e8c86bb569d295417074128b6f2502396b11b9305f078

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscF27F.tmp\ioSpecial.ini

Filesize
578B

MD5
c8239d64b4cd0bcfc9a352b93af6b4b0

SHA1
c761a2ff97b3cd025e30bf6ae2d0742f48e2ee38

SHA256
ad15ccebabf772baa364bcad0559f81d9951fc7ccb42db3cc6fa6776f468b84e

SHA512
0e46972920ec36b7ed37572534dccae01ff700d0553fcb18f85f471c6b99aff4ce24b088d464e3081b4874d669dcae075818a2cd2b8d2d152eaa36de456f8ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscF27F.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnBF4B.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnBF4B.tmp\WinPcap_4_1_3.exe

Filesize
893KB

MD5
a11a2f0cfe6d0b4c50945989db6360cd

SHA1
e2516fcd1573e70334c8f50bee5241cdfdf48a00

SHA256
fc4623b113a1f603c0d9ad5f83130bd6de1c62b973be9892305132389c8588de

SHA512
2652d84eb91ca7957b4fb3ff77313e5dae978960492669242df4f246296f1bedaa48c0d33ffb286b2859a1b86ef5460060b551edca597b4ec60ee08676877c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnBF4B.tmp\nsDialogs.dll

Filesize
9KB

MD5
13b6a88cf284d0f45619e76191e2b995

SHA1
09ebb0eb4b1dca73d354368414906fc5ad667e06

SHA256
cb958e21c3935ef7697a2f14d64cae0f9264c91a92d2deeb821ba58852dac911

SHA512
2aeeae709d759e34592d8a06c90e58aa747e14d54be95fb133994fdcebb1bdc8bc5d82782d0c8c3cdfd35c7bea5d7105379d3c3a25377a8c958c7b2555b1209e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnBF4B.tmp\nsExec.dll

Filesize
6KB

MD5
b648c78981c02c434d6a04d4422a6198

SHA1
74d99eed1eae76c7f43454c01cdb7030e5772fc2

SHA256
3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

SHA512
219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

Download Submit
C:\Windows\SysWOW64\Packet.dll

Filesize
95KB

MD5
86316be34481c1ed5b792169312673fd

SHA1
6ccde3a8c76879e49b34e4abb3b8dfaf7a9d77b5

SHA256
49656c178b17198470ad6906e9ee0865f16f01c1dbbf11c613b55a07246a7918

SHA512
3a6e77c39942b89f3f149e9527ab8a9eb39f55ac18a9db3a3922dfb294beb0760d10ca12be0e3a3854ff7dabbe2df18c52e3696874623a2a9c5dc74b29a860bc

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
275KB

MD5
4633b298d57014627831ccac89a2c50b

SHA1
e5f449766722c5c25fa02b065d22a854b6a32a5b

SHA256
b967e4dce952f9232592e4c1753516081438702a53424005642700522055dbc9

SHA512
29590fa5f72e6a36f2b72fc2a2cca35ee41554e13c9995198e740608975621142395d4b2e057db4314edf95520fd32aae8db066444d8d8db0fd06c391111c6d3

Download Submit
memory/1020-357-0x0000000000400000-0x0000000001371000-memory.dmp

Filesize
15.4MB

Download
memory/1020-352-0x0000000000400000-0x0000000001371000-memory.dmp

Filesize
15.4MB

Download
memory/1020-374-0x0000000000400000-0x0000000001371000-memory.dmp

Filesize
15.4MB

Download
memory/2456-353-0x0000000000400000-0x0000000000BF4000-memory.dmp

Filesize
8.0MB

Download
memory/2456-351-0x0000000000400000-0x0000000000BF4000-memory.dmp

Filesize
8.0MB

Download
memory/2456-324-0x0000000000400000-0x0000000000BF4000-memory.dmp

Filesize
8.0MB

Download
memory/2456-377-0x0000000000400000-0x0000000000BF4000-memory.dmp

Filesize
8.0MB

Download
memory/3496-169-0x0000000004AF0000-0x0000000004B06000-memory.dmp

Filesize
88KB

Download
memory/4452-292-0x0000000000400000-0x0000000000BF4000-memory.dmp

Filesize
8.0MB

Download
memory/4836-335-0x0000000000400000-0x0000000000BF4000-memory.dmp

Filesize
8.0MB

Download
memory/4852-371-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5068-366-0x0000000000A90000-0x0000000000AA8000-memory.dmp

Filesize
96KB

Download
memory/5068-375-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download