Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 11:51

General

  • Target

    GlobalProtect64.msi

  • Size

    153.1MB

  • MD5

    4b1733124a19056ca4301231f2e0d245

  • SHA1

    66a1b33fde2ae3d7fae05a059c861197d87c04c1

  • SHA256

    21689eafdfd6005ae75683a423b7816592cdf9aae03d983782d9272bb71787b9

  • SHA512

    c2513920d48986dc595a009d782253d5456543226d6f1aebf18609e268c15c35d1ca27dc6e38072d7d206391381c136aad471a20f25565b0e00c9af43bfc72ce

  • SSDEEP

    3145728:QJCdGkU9a6wnzYdRQ7O7rtEtBsIvCcJr9SlX2OVwji5Xv+Jb8rTnNWFdbk:Q0dGk0a6wzOK7O7rtEEIvV9ShHV/v+JG

Malware Config

Signatures

  • Wikiloader

    Wikiloader is a loader and backdoor written in C++.

  • Drops file in Drivers directory 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 61 IoCs
  • Drops file in Windows directory 64 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 51 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 53 IoCs
  • Modifies registry class 39 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    PID:3532
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GlobalProtect64.msi
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Event Triggered Execution: Installer Packages
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2780
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2380
    • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\notepad.exe
      "C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\notepad.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4712
    • C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe
      "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe" -commit
      2⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:3444
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2920
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Checks SCSI registry key(s)
    PID:680
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "1" "C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf" "9" "4473c0673" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Palo Alto Networks\GlobalProtect"
      2⤵
      • Drops file in System32 directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:3852
  • C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe
    "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2368
    • C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe
      "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe" fromGPS
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57f500.rbs

    Filesize

    57KB

    MD5

    67eff5f551dc20561b422a8b35aa81b3

    SHA1

    d0216eb93342112d173d7c1cb589d813376bfc8b

    SHA256

    571730a9196f4f6ffda7dc0f2d1af2b67fb702d3238fea2237940ccada7de1f2

    SHA512

    70e0e283f9f17704cc95fa34d843358e43f426f525d8318531feab48408d5bcdabede4727b15d856baae3db3eb8687f1fca7154e578dc21c6081c6d208ce20ae

  • C:\PROGRA~1\PALOAL~1\GLOBAL~1\pangpd.sys

    Filesize

    76KB

    MD5

    6ca91596cfae2079ba66bfbb099f41e6

    SHA1

    12729569ca22d782630e988c56a6472d8cfb96aa

    SHA256

    9cc08f70555e3958e1676fba56b12d482ef961f8fdbba9e69db7a44f3b007a02

    SHA512

    f06f785aa445c1f77d6b3553d3db99c1373f99ff55505bea71763f15b62334ebe1dd77550110179942fbb44b85ee7330ee59f888e409c8600f6df7a7611b8ace

  • C:\PROGRA~1\PALOAL~1\GLOBAL~1\pangpd64.cat

    Filesize

    10KB

    MD5

    6f4e74e781e6bcf142dd838cfebb41c7

    SHA1

    f4943f6168827c6e6e5cb4f9e7d34b35398d66c9

    SHA256

    f6f9275be2da16360f7498dd1b4631f9b19fff816d8a025b0146c20572b1a1ea

    SHA512

    6fe8ed0041cb9e9f0ed350df512738164b1f26a475a50db2f9691e7855d6e5ae1de590cab13e190ebd66765a722b39153c90e913cfa00835c0fc3cce347baa85

  • C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe

    Filesize

    12.7MB

    MD5

    67531d29184f8535d5a5bfa9b6f2dc55

    SHA1

    137c77d9704e089325c383aaa12be1306912b157

    SHA256

    f3efccf35546bb9b4167558f017171fd70756ef6b0b5c9e6ab618722c099d8de

    SHA512

    450df85697933102db33f55c10bfaf816f5f4b30d84b7e7ea286b6697fd21bbd80a2a39aaec1629dc5dbb999bc9d3b75f740568ddeedb144b4acd4cfebecc8c0

  • C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe

    Filesize

    10.9MB

    MD5

    6cd4376e895378198b89bfb282429094

    SHA1

    66a4048d4af908c8774ae61645a8520711f3f98d

    SHA256

    ba4bc8ca267de00eb89bb485788321b873f0e0b6aeddaacab9d6b2676c10ec08

    SHA512

    aac34445ee9cf0a37bbb607cc495536b583a23910e02b2f588dccfb99ff58af5d550f439b4528e70ffe972ce17b9a92756fa7793e1644d590c1e474c972458d2

  • C:\Program Files\Palo Alto Networks\GlobalProtect\PsvCtrl.dll

    Filesize

    279KB

    MD5

    27a8ea702bfb4dacdd21a42257563d9f

    SHA1

    bce90f73a04f4fd3f854ae5b4a93e6da41e5ba63

    SHA256

    85a11027117d5fb33a09298f28dde22af5e859fe574b41a9bf5da1e595334a27

    SHA512

    ad891bc3f0626f67d482d9849384706cadc17b8688e0136aec2b9fc0cfa2203d6c8fbf3f02eb9452970a4ca66281be733e044cdea24a1d645e64e1dd9d390645

  • C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log

    Filesize

    318B

    MD5

    f6a27a6265525b3e5b426dbba051e361

    SHA1

    505ba359dfbc33dd42988e7ce1be38d3c95855fa

    SHA256

    8b72bfeb1949ebcb56c799817f6a6e8b2ca207f8bb42a8a5a049318d8ce6e67a

    SHA512

    a946e85adac595738fd05570a6e801c4d04b3085b2ec40da0e518ed23ce014b70e32f1eb5496943b7df8d128d830319b4da26281e9e45ebd2dd993627a59e076

  • C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log

    Filesize

    1KB

    MD5

    59047a2792365f9b24e7e3b6e5127d99

    SHA1

    6af38e562d8d4ef9480ca1ef648d0ab6c24bc27e

    SHA256

    bb8b331284e09a0e302072d1a59dc9a1a0c55aeaa5aea1798d6cfb384473cc9d

    SHA512

    7802c3abdee0a1acd4081a68a8484efc115a30a172e95b65847b3db202d300d3dbf6b2915e3599ed5e938ed38c4be7b46281a98071b416a5594e6938319e36b0

  • C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log

    Filesize

    1KB

    MD5

    496eeb65086ded709e08e6a7ea63d8b5

    SHA1

    23729c08ef89674e7b9983b21b32abaff1d9cbe2

    SHA256

    a5592cbbea7b737eeca4be52fd7345dd7502503ba6564c5c239f28117e74feaa

    SHA512

    ef79ea8210e224ddc92e6a7501d15e7b489b86405df176fd26db1464660bbff5e4954649bb87b013b4ad13c0dede3b9557288c44933f6f8e093bb745689cd4b2

  • C:\Program Files\Palo Alto Networks\GlobalProtect\debug_drv.log

    Filesize

    2KB

    MD5

    ae0ff3b43cd924be4879272f1b299c6f

    SHA1

    e7786ea61936c1e9be68b6d7f57e014e5b2f8675

    SHA256

    4be8279b6fd0c51f3f9ec20e67db424b545463c2f393301df201f46286a4dd1e

    SHA512

    35ed5e311f6dc9a4d593ca7a7c1a90500bf8ce47ed5359c4c5c26ae0950c3e40db2763a795402898f77d4f060905674ccbd8c8cc28fe9ea3a1e9844b1e6440de

  • C:\Program Files\Palo Alto Networks\GlobalProtect\pangpd.inf

    Filesize

    4KB

    MD5

    fc97a101113d88276c58400bba7aaf77

    SHA1

    814d0c9fbdee6b3daba6d18389536fde536d3b2d

    SHA256

    20b44f3859a6ff1b7c644fc90ced4e7ab37ccf5cb50ec21d59a92906932a4842

    SHA512

    616ac0eb0bf54e4efb94b9cf1a301e8ad08f13d7477256552be616d450db84614a3a7e5376ec7d3fc11e893c38cf578eb826fbf156b17b2cf48e5004470e5bda

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Palo Alto Networks\GlobalProtect\GlobalProtect.lnk

    Filesize

    2KB

    MD5

    5e55d97eb80d69416b1bb134ee231e87

    SHA1

    55b6b630dad53b0b5bd08d8ffe5ec62e9da9fa05

    SHA256

    dbd2394d133c44426dd317cc3e05ebd2f167cb7f602abebc466621baea348ba3

    SHA512

    0f8bf88c38a1b215ff7ac474a883fe0618cabd4c4b5e2c0505b2e80486e16b5d686fb836d8097c403fb77013bc33e06b28c1573d3327b812a02d5ace3d7d6fbe

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_8D4B68B7C97F275D69553A81C95CD59F

    Filesize

    1KB

    MD5

    f769b5c6163772e00b8520c7ee885f75

    SHA1

    2b876d92b132e02a06b8989becd556186263fc88

    SHA256

    9492b4b3ef0eb4b5d3db8c8aacc0e9f887f560b746066523cee44a7a2c097d61

    SHA512

    e1e026c295d1831e8a3a217785af340f4e01d6d2e4f15fd2b339bb6ca445ee080dff9827cd6d54b6e1255b1e46599574d337d557ac0c0c62da1cf197bf0478b3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

    Filesize

    1KB

    MD5

    fe0ac8beaebc0ba6c1eac827efd7b33c

    SHA1

    1b8e447b03284ebab53da2ba6f1547f7520cada2

    SHA256

    c835dd416199911b0cd1a2727f29007f037bf23e5fa1bef893552217243b6605

    SHA512

    5c23e1348b6b913259022a30d8152dfaa9652ea447e2d04f5f840dc4afaf7acefa0521fdb4d648e0a8e0c0f0b9ac6eca898fdeb78e34b063bc0e267402172599

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_8D4B68B7C97F275D69553A81C95CD59F

    Filesize

    536B

    MD5

    f9741a91cb482ea0c92fc4e007175256

    SHA1

    dc07a144891ac42e19afc455e8f5084d00460199

    SHA256

    c4e4241c2e6fe344da70c5bff1c0626309162d5db9f7335a3ff3c53e27cbc18b

    SHA512

    1168397f38ec403c98b8507b238d098e347626c174e44b32d24b943b98cff80503e819a26e537887ec3a9054a4c60dd539ece01c89a66a6cfc7e061a6cf7b3fc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

    Filesize

    536B

    MD5

    1b0d07806f86a6d729aaa762b9a00f1f

    SHA1

    f5f354fc562bbc0b10bf38ae285560d3dd497240

    SHA256

    6264ae380820f526d452db0c69819e9d58e5ef8d3ca289ea392634dcc8441c8e

    SHA512

    2ec127d9ca98434f3d6d7625c373e8a887963794d8541c424be8ded90c3a27e68dbeb5d26aca40d2383060e16be1667ae1429652f2fa5d3d4fc1d92208d40ab7

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\certificate.pem

    Filesize

    111KB

    MD5

    0354061f1966b42a95ea67339b368d3a

    SHA1

    c2332f191549677673c65d6f310766cb372a51f3

    SHA256

    f09651ea066297d14aa03603ff8fb8a7837038db8837051291121c547e7070fc

    SHA512

    800db5e1cab015de61b5ce9a1af99de19fed4f0737c7949fdb1c4c4ea3ff460e8b01355fa7657744b3c43f2bb80f29bbd88fbb7e5c26d477f5560a3ccd227b39

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\config.xml

    Filesize

    7KB

    MD5

    7a90522d275e13ab0813da65e9b0da43

    SHA1

    2bf10880d9d7f84fc761d3cd720d037f3c022c2a

    SHA256

    c9ecaff72fbbcdde1f7614d306fe9d6884da76557bfc9a2e498a8f97724121f9

    SHA512

    06394dc52ed7f55455d4a327be7155f4b2ca2e416ce1ed2cfc8a74edf088f233500d4647ac2907aea562af01a9450ccd324d97f8e4a9725781b6648ea0a9fe1e

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\contextMenu.xml

    Filesize

    4KB

    MD5

    fde4cc09d1c18c6cd7c1a4878e89d27e

    SHA1

    22fba21b254fed1a60da5de2b8af3cf6e132b647

    SHA256

    43ac0b7ba9b1f91fd8d4841b8119344e6212b307a1decccf61658f31d38bb425

    SHA512

    fcc87b93cb4dd0949e82edb7d2788d7abd317f9f4c5f046ceba1cd85a64b12b29c6baba3e8646265db02a48a2dc20c3b5e893a1334d9b1e91d26692b4e9c2d29

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\langs.xml

    Filesize

    451KB

    MD5

    0ca5163fef9dc83b8fba4f6524fd5801

    SHA1

    a2a7b6d3ca67a56c9f384c74e96912ebea7262cd

    SHA256

    d5bfd6ae3c031de46b4bb30abe9b44dbe4caa33228946853481be1b1d23c1a6d

    SHA512

    7b81e6457200712f1b1beaea215fc68fea522517ba8dbaf4ab1230703da22d8ceb08e0057e60fccd076b087e9edf7c660957e4a3763c0bf906e9a6c827fac4d8

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\license_us_EN.html

    Filesize

    1.7MB

    MD5

    2f646fcc13c2c392c4af2f2d83a08a25

    SHA1

    9ac5faae7de79ce79cc4d8dacc078b37c7ec8874

    SHA256

    38ff6bcb91bd6cbceec26bc60007c60031d9f35181fbae851bd239f361cf38db

    SHA512

    2fe323f45990398cd7bca29c43e53611c45d08ae4f146bae6afd978d1c5ee8f4c5945c146866362e474d9e3d6f2e5c4741aea8d446a157469bf2d7424b5dbe3c

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\notepad.exe

    Filesize

    6.9MB

    MD5

    8279706ad64d33bf4eceb2c1becef274

    SHA1

    582cd15c2d1bf27da142ced63ffe490818bf4fa7

    SHA256

    712abdd019cd2e4d96cee74d94eafba8f21ffc35c99a656c228a179ba6f5b310

    SHA512

    69d5f5a2ceaa10a822d24af6c0cfba91804886c7fdb634931c2c6149dec29b98a7770fa7e3cb8630a525c088c39a84382ad30556aa9d4092e4b2e356af39cf9d

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\Config\nppPluginList.dll

    Filesize

    204KB

    MD5

    e7ab0446d3d300d93ab65dd9f94dd59b

    SHA1

    999f0dd30d4aa5224ade7b1bb2d4410494ee7324

    SHA256

    83bd50d9c6d57a58e75838e92c4d5cc61d1cc604b4db033559c756b857f267fe

    SHA512

    93016a843cee731c7b6195e36b218806734506e1aa44648731510962db1f8e405d1fc1952936a23340397c6b4fbb11ff0b832646970a79644042457cab3b159d

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\NppConverter\NppConverter.dll

    Filesize

    198KB

    MD5

    7ce0e43b22274d55d7c8fbe937fdd70a

    SHA1

    b8b42b145e0fad49c3f497dd291d95629b24bc0e

    SHA256

    15b522475027a659988edcd0b9efa18f2cf9d04ecf5f88d1c577eb8be1f55156

    SHA512

    98c40c83b9e4c7f92f83a3c8fc8974c818edadc89b1aeb59922062b514fac47be9a3cf90859ee07dc9f641066a4d65182dc6b7641c41bde55c601bf08302533e

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\NppExport\NppExport.dll

    Filesize

    153KB

    MD5

    b29065b03a282b5560464fcc657945b2

    SHA1

    b4f9cec583775c22ed7fbc967743df9effeb7d2a

    SHA256

    f235cc34e126b47847b9aa89bf5ead47948de4d190b5fe2117ae6deff47e63e6

    SHA512

    3872f4d85a88363c2538b41d85b6cfbfc14b1abe2b452cb9f71cbe310f53cc2522f1f072fc33853d17662a3cb39c656d698559b4a40bf5d9cffdfa11c47116d6

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\plugins\mimeTools\mimeTools.dll

    Filesize

    145KB

    MD5

    8c0a29be7fa71be3e638da1e3e5d738f

    SHA1

    07842ac568f779dca6dd2756c401f6a6709c1dfc

    SHA256

    119ecd68ab332770bcfe92a3ccdb549b0078d91cc2292bb9d02dc8aa27ca3cc3

    SHA512

    e2a4f7bae0a63c65c9c53fd98ac5e97fc9a363bc5656a17640b05da22c45ef76c7049cc8f66d0e7683d8f2fd615fb6a5d406aa0c6812b56d91029ce812c70909

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\session.xml

    Filesize

    193B

    MD5

    5d261612f9233dc1754c83fee2c5a854

    SHA1

    16f3543dcc6ed0bb3f111e6bca845fe1cd1a20ec

    SHA256

    52226d6d91ffe76d8aa3ce42982da9bb4881f04eb0d8d4ebb34a6e3204845901

    SHA512

    875bbffd4772964ada70a4cf3aab6e9f6193757dc653d2cf58642156b4b15d6a806b86b6252f6bfec503065d3f7384b248b669064327fe74a948d9c273084bba

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\shortcuts.xml

    Filesize

    3KB

    MD5

    fb573784b83033dd4361f52006d02cb8

    SHA1

    0a2923a44ec1bd5e7e8bc7cace15857ae03bf63c

    SHA256

    37a24662cd55b627807bc2bb7cbba5bbf2abaf6da4dd7bbb949bfaa7903eae9c

    SHA512

    753b44b5e8bea858cf5cc5ddfdc38098a2f3f921949cf98706ead95bdfa1de7ab0c115e9d69237623a03c422969480204c69d3ba277141527458c68230d0c67c

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\shr4.dll

    Filesize

    145KB

    MD5

    5a1e2d61baabbca3d728795fde4e20b1

    SHA1

    4d6b30c63fe9a8f4661a70e32b3593dfba991aef

    SHA256

    93840216b598ecb738be81a66dfbb3cf5bdd2abc06af9148ea41884553e8212a

    SHA512

    f5042e66981d04cb40bd3a9dd5aca4ec891170d2f4c7ca544605c6753f1c3bb143d0c9665a3fc4677182ebde6a13c8d68a976ff7d463750502a9a12756d42a9a

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\stylers.xml

    Filesize

    182KB

    MD5

    343b8f55f376e88674733286d027f834

    SHA1

    466886054d5c2641ba6058f58a7a84053aa4696e

    SHA256

    f002b36e70f0fb159885c21fa6e6395176cd50a254201a94cbed756d9843fa9a

    SHA512

    ef6643badbb87739f0ae847d201651f8d3e677c54ca2aa3f81277b053355772f71d9b0f490617c104ce861a29e2b283fe6d82faf4cfe8f10bfc571d683cfea8e

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\toolbarIcons.xml

    Filesize

    2KB

    MD5

    bc4b775a277672fc7edf956120576ecb

    SHA1

    fe7c2db5b4d4c5a3f5603cf56c4d71cc9ee2d71d

    SHA256

    4ec98de37193f41242c1a47507bcc4c1af555e71154f7354272bc3e664e19877

    SHA512

    f87dc3ce52831ee308fbfa2b1b94c07e2811e7028360f046e012f8ea5a8f0ebcd362de7a663dee810c3da0791474c1485b1a2626c7867e76236156b125ff39b2

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\updater\gup.exe

    Filesize

    818KB

    MD5

    7073a8f48d526090a30c5c7e6191ca08

    SHA1

    2908951eb08202ae355a4e5a6f06076725bee725

    SHA256

    35663bf0e84cd3f9ba8949375fae8451263954154274ad4454b86920252424dc

    SHA512

    74705e6275b8a9e9e2eaf99e0c64ef041a52fc78ddf20190cfbe96a2e7412d92a90d912c17b996c3c4f7d5cb4f3f647ccfe4da56a0e592f15e7b86644e319753

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\userDefineLangs\markdown._preinstalled.udl.xml

    Filesize

    6KB

    MD5

    672e6d5f89887666ec94711e442644e0

    SHA1

    8d069ae93347316eff0dcf7aff4d22da18a62af2

    SHA256

    b34fe6811dacfe49d77d434123867e866daf6e0e27387a0446887dabe8943f04

    SHA512

    8fc5e9bbe027826304fa6f329fb16e4c9e4e7a597d87e9c691ed6a9f505b7bc1967339b43c6426105432a030260b0654468ab8fcbb4312b2fb6ed6c6aa537edc

  • C:\Users\Admin\AppData\Roaming\NitroSoftNPv1.3\userDefineLangs\markdown._preinstalled_DM.udl.xml

    Filesize

    6KB

    MD5

    3690cef1865e32fe6be1b2ec7656539a

    SHA1

    bc043bec63c310a60d9e242810036460c467945d

    SHA256

    e45e49f0895249d951df2c07e0f06ca1242e05c961dd921e5aa2781ae2e7ff25

    SHA512

    c2be869d96baec2018e13dcf5934dd9cf74146541e852cc2eedb4d83a8af23e2577cde7a0158fefaa11056416ff039df3a7725e320620193e9bfe72c8067c051

  • C:\Windows\Installer\{654C71C3-9449-4BCD-8AE3-06648507751C}\_B87728FC0BC25287CF303A.exe

    Filesize

    4KB

    MD5

    f1814a363433ed1e413ad7c650414c42

    SHA1

    c0dcbe7a66f8ad0b83fd0873cb01d6b4a57a30da

    SHA256

    2237534a7e9f656c859a5802007ff17e4649d6ffe4f30a844dae582c14de260b

    SHA512

    a364a617806433b2895f6be7b9363117bac3bb2594496b0c32deb3e0fe0e6ab4d77c67d7295176db96a6e8cbf3eeaeeec58a1d96361cf799ee925ba5cb94373f

  • C:\Windows\System32\DriverStore\FileRepository\pangpd.inf_amd64_395e590fee2fe205\pangpd.PNF

    Filesize

    10KB

    MD5

    455df6f647ecc9a916e72bf2ca723fea

    SHA1

    7db54ebbdfe3e44991ea83afab5a5f4ea964afc8

    SHA256

    00feb73b91ff4e706a01f27187b240ad24714ea99481fef5efeb919f106bcef7

    SHA512

    85c9e5f83b047847889a1c2a4f68f562b74c489b3b6f0435139790149d38288c8f86c0b823e447827e46bbd51c943e21f460af3686786484e49d27d0d0b63c6d

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

    Filesize

    23.7MB

    MD5

    1f05d1d729a1537f090d201942d2051e

    SHA1

    ed8dedda5d337082b34add0def5ae20b59f43876

    SHA256

    b9dbb4892809f9f27d1764a158013e75607294341734f725146aa96c3e48a66c

    SHA512

    88ac8a1417684de8284ad8862e97ec7f714cee0dc2191e8946f3ceb61f6bdee104d6b1422e0ae5d1925d73b8b3568c08b6815888d84796f958c240c400111d28

  • \??\Volume{8484aac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4ac3c54d-dcc8-4fe6-add0-d41a7b417222}_OnDiskSnapshotProp

    Filesize

    6KB

    MD5

    71bd0f02eb5f8b76bd90c5b844218368

    SHA1

    2c147116123d09f27357311952ac304928aa9fd2

    SHA256

    59b0d7e441bbdca79c0acdce374b659146e7c64085b89fa3f19cee02b06e867b

    SHA512

    dc1e5e41bf072284de7f50f0906f5b9826558bcb80d6f410a8789d88e1183cab8c043eaa5f1ea3148d2d3a928afff692c2ab0349683987fd296d5e3e587eabaa

  • memory/3532-361-0x000000000DE70000-0x000000000EAD6000-memory.dmp

    Filesize

    12.4MB

  • memory/3532-339-0x000000000DE70000-0x000000000EAD6000-memory.dmp

    Filesize

    12.4MB

  • memory/3532-338-0x0000000008D50000-0x0000000008D68000-memory.dmp

    Filesize

    96KB

  • memory/4712-336-0x0000028B00000000-0x0000028B05F5F000-memory.dmp

    Filesize

    95.4MB

  • memory/4712-337-0x0000028B7D2E0000-0x0000028B7D35B000-memory.dmp

    Filesize

    492KB