a3f25cf73d46cecf88b791616b7b15efb57f0d17d61904af655535568288c35e

Resubmissions

11-12-2024 23:32

241211-3jjjjaslgx 8

02-12-2024 12:03

24-11-2024 10:24

24-11-2024 10:02

24-11-2024 10:01

Analysis

max time kernel
986s
max time network
1040s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-12-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93f4a2182702dcb81cc63506ffb8f185_JaffaCakes118.exe
Size

60KB
MD5

93f4a2182702dcb81cc63506ffb8f185
SHA1

b6f91299ad563acdb42725f3502a91904d4957f3
SHA256

a3f25cf73d46cecf88b791616b7b15efb57f0d17d61904af655535568288c35e
SHA512

642993e2bff2db269a17d891750902dc3e4df29ccac7d7ccb51f70a7779b2f58d645df8383ed85ffe0ded851896d78aef9da1241679cd3ad0f130fe6e0e0d747
SSDEEP

768:vCru/f9Iw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRiTWNReOOe:71Tzy48untU8fOMEI3jyYfPiuOe

Score

8^/10

defense_evasion discovery execution motw phishing

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4532	powershell.exe
8188	powershell.exe
4608	powershell.exe
7252	powershell.exe
5432	powershell.exe
3036	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETCFD.tmp	NPFInstall.exe
File created	C:\Windows\system32\DRIVERS\SETCFD.tmp	NPFInstall.exe
File opened for modification	C:\Windows\system32\DRIVERS\npcap.sys	NPFInstall.exe

Manipulates Digital Signatures 1 TTPs 8 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3\Blob = 03000000010000001400000060ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e32000000001000000c0060000308206bc308205a4a003020102021003f1b4e15f3a82f1149678b3d7d8475c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3132303431383132303030305a170d3237303431383132303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e672043412028534841322930820122300d06092a864886f70d01010105000382010f003082010a0282010100a753fa0fb2b513f164cf8480fcae8035d1b6d7c7a32cac1a2cacf184ac3a35123a9291ba57e4c4c9f32fa8483cb7d66edc9722ba517961af432f0db79bb44931ae44583ea4a196a7874f237ec36c652490553ea1ca237cc542e9c47a62459b7dde6374cb9e6325f8849a9aad454fae7d1fc813cb759bc9e1e18af80b0c98f4ca3ed045aa7a1ea558933634be2b2e2b315866b432109f9df052a1efe83ed376f2405adcfa6a3d1b4bad76b08c5cee36ba83ea30a84cdef10b2a584188ae0089ab03d11682202276eb5e54381262e1d27024dbed1f70d26409802de2b69dce1ff2bb21f36cdbd8b3197b8a509fefec360a5c9ab74ad308a03979fdddbf3d3a09250203010001a38203583082035430120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307f06082b0601050507010104733071302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304906082b06010505073002863d687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63727430818f0603551d1f0481873081843040a03ea03c863a687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c3040a03ea03c863a687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0302308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e301d0603551d0e041604148fe87ef06d326a000523c770976a3a90ff6bead4301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d01010b0500038201010019334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\Blob = 0300000001000000140000003ba63a6e4841355772debef9cdcf4d5af353a2972000000001000000350500003082053130820419a00302010202100aa125d6d6321b7e41e405da3697c215300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3136303130373132303030305a170d3331303130373132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd032ee4bcd8f7fdda9ba8299c539542857b6234ac40e07453351107dd0f97d4d687ee7b6a0f48db388e497bf63219098bf13bc57d3c3e17e08d66a140038f72e1e3beecca6f63259fe5f653fe09bebe34647061a557e0b277ec0a2f5a0e0de223f0eff7e95fbf3a3ba223e18ac11e4f099036d3b857c09d3ee5dc89a0b54e3a809716be0cf22100f75cf71724e0aaddf403a5cb751e1a17914c64d2423305dbcec3c606aac2f07ccfdf0ea47d988505efd666e56612729898451e682e74650fd942a2ca7e4753eba980f847f9f3114d6add5f264cb7b1e05d084197217f11706ef3dcdd64def0642fda2532a4f851dc41d3cafcfdaac10f5ddacace956ff930203010001a38201ce308201ca301d0603551d0e04160414f4b6e1201dfe29aed2e461a5b2a225b2c817356e301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f30120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070308307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c30500603551d20044930473038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c0701300d06092a864886f70d01010b05000382010100719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3\Blob = 030000000100000014000000e1d782a8e191beef6bca1691b5aab494a6249bf3200000000100000002050000308204fe308203e6a00302010202100d424ae0be3a88ff604021ce1400f0dd300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e67204341301e170d3231303130313030303030305a170d3331303130363030303030305a3048310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3120301e0603550403131744696769436572742054696d657374616d70203230323130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2e6618467c58af50d08a445ca636b51d73a1142bd0a75754d94b40c50b52610fe1dc86f916b0c96e71a5c48ef44e5bf9b61cd1591625ab8ff670b9c63fd366a81fa29f8dd2b7085de0218f3786dbc7df9c76d093dbe6a7687e98abdf8845d1e76c9e4c676763a53d1d1d35a368fc6a3e12f1b3ab761d673ec4e6d338a7c5d452d4bb150e6413a375686dc93238df75025e864e6ddd38f2f57b58720eb0e8e2cd523daf44d7846e3038331294a5c0c318a4a8c88c5f7305af914af155f6c434909fd262353f68d63e81aab5bb11d30c29b6982b4dbfc5654bc1fa187abbe7a5b0a202f4b09c995a78db2fad6638b4ea5721cee9f7a0173f819d6fe0d4984bd010203010001a38201b8308201b4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830410603551d20043a3038303606096086480186fd6c07013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053301f0603551d23041830168014f4b6e1201dfe29aed2e461a5b2a225b2c817356e301d0603551d0e041604143644868ea4bab066bebc282d1d4436dde36a7abc30710603551d1f046a30683032a030a02e862c687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c3032a030a02e862c687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c30818506082b0601050507010104793077302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304f06082b060105050730028643687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572745348413241737375726564494454696d657374616d70696e6743412e637274300d06092a864886f70d01010b05000382010100481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C0D087ECDCC76D1084ABE00F1FEE5040400AE37\Blob = 0300000001000000140000003c0d087ecdcc76d1084abe00f1fee5040400ae372000000001000000c6050000308205c2308204aaa00302010202100aa60783ebb5076ebc2d12da9b04c290300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3231303530353030303030305a170d3234303631303233353935395a3081d2311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a6ec814ee2c7075e2e29ac7ebd10b6188055929370a213b83fb6e337d82ed0756d15e267f6bc645e6db5bb1d586ef1098ead1595147d03897af04b666aa5a50def2b3af23974896c6fb4f5246baf3ec374dbfd90eeec7575ffb11a6efea7a0d7da0adb04eaf000b1ad520d9e9529b2a8cf420998d4c7a46c1f95e405e35f69ad8c05d62df0f9745017a6284134afba26f905d900da1c412200e6ca5c6b148f3f785aa0ebe35ea9160644bd6924b54625eb404ab39db981f6b216b6dd960930a1443b26aab08cdbcf1c5fd74dbb56c3e9df791f8429401dee5869e90c39f95000fc616b5ac8396b588e24407235ea074328c608112f6cb4f07347cd4d28d28ab90203010001a38201f7308201f3301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e04160414c5b210483c7598f90d32838cd0763d3cd85fef5130350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304a0603551d2004433041303606096086480186fd6c03023029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008b2182887ada0e08e4afe89019ded16e88ff6ff1b12fd9b2994b945b8c76c63862ae35a1751672c474c8575a039250105e346bb7ce7ae1f2494e760de418b9453f1bbac9255b0dccafd296adb3cdb49d46d54c3413bfc34a3e640e244da7b1e1dbd1b04cea414ff64fe57f0ef28944a42e41065548e4834f2b05d4aae8516a1f154c5b09af25fe059a69a7dc75a7deb4cf3068c402614ece0509edf02b0968b5c8d1081cdafcfba3b7c1599256e6685ef7391f46746eaf829bc8fd40f55be70a3fc51142648b78a903e750158328cb80d54aaddce82df8fe983b0e36af4dafbdbdffe8896bee9a93c370e77f735fe9c42fc2259a3e5672e9f75f37ecf7104e53	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9\Blob = 0300000001000000140000004ce89794fe2d2f7e30121f10bcf76ac3ccf77ca92000000001000000c7050000308205c3308204aba003020102021009256314069e7e6a88cb823075c0d9c9300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3230303530313030303030305a170d3231303530373132303030305a3081d231133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a88cd713346c50a5cd2a62900419f091330f9820b73b38785a8b5a25ceda8e11b71b2d11ff4b0c18cad405a2a195a6462619fa3ddf6d14466a350d1cf1c6ad48cce166fe6011a62ee62751046dd264b1cc145c4a4354537cec1ae615b6b8566a28ddf3b510fee92023dbe4190b44bb4174f94c4ec62256bd4aa5ba541ee833388db8cc411365e094ee6314eaff59ca6659bb6388300e7ffbd0f8b299889b8e3ea526f8ca926ded79eac89a6b068757ae428022e2602ec98babf5998216b0c28a709129a1300872878d9971e3130826a7d1ce894fe649a017003f07ee3c53ca0cba998fab097e573723fbd3e0ea1b742dd6d076b4c2284b93500021a7d27109630203010001a38201f8308201f4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604140a9c208099309acdddf9c9909a03890dcd30c8ea30350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010042368fc33025a2a1338cf35a08d00e263958f825e79b6d3af23e0e4e4cf59bc8502022d452cbba14a53274e3a12a5b01f4aee16abfcb1b28d63484a0ae1995c9759c6f0970254da8902fb479f5f7869a566aa285f2c28e50096dfd2e14a9ecf0000963c570d2338def108dfe66b1e44d22182826749871a7f3977eba4976910f1f0de866fc75b918c1a9f466fcf96ae90df932071b9c770f0f3193f8ca500abe52cc316549403a5ca5b5422d1ebffffc3cbe3b926de552f493b53c6570fdd0736550f080c2db204b03bc00ff724241581b5dfb0dff7b8f2cc28f136c19cca8bd4b3c3d81404e69f4598e7b5458e41c6f2e6622a212d28c2615565782a1f66987	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe

A potential corporate email address has been identified in the URL: httpsmedium.com@bonguides25howtoinstallnetcatonwindows1011f5be1a185611
phishing

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	pythonw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	pythonw.exe

Executes dropped EXE 15 IoCs

pid	Process
5976	nmap-7.95-setup.exe
6356	npcap-1.79.exe
8920	NPFInstall.exe
8476	NPFInstall.exe
8828	NPFInstall.exe
2952	NPFInstall.exe
3600	pythonw.exe
7172	pythonw.exe
9220	nmap.exe
9632	nmap.exe
9724	nmap.exe
8500	ncat.exe
9856	ncat.exe
8940	ncat.exe
2440	nmap.exe

Loads dropped DLL 64 IoCs

pid	Process
5976	nmap-7.95-setup.exe
5976	nmap-7.95-setup.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
6356	npcap-1.79.exe
5976	nmap-7.95-setup.exe
5976	nmap-7.95-setup.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe
3600	pythonw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
264	whatismyipaddress.com
265	whatismyipaddress.com
266	whatismyipaddress.com
267	whatismyipaddress.com
268	whatismyipaddress.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
1090	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.79.exe
File created	C:\Windows\system32\WlanHelper.exe	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4cb5e802-d188-0841-8ce5-417f1fe1cfe5}\npcap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4cb5e802-d188-0841-8ce5-417f1fe1cfe5}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	NPFInstall.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.cat	DrvInst.exe
File created	C:\Windows\SysWOW64\NpcapHelper.exe	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Packet.dll	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\Temp\{4cb5e802-d188-0841-8ce5-417f1fe1cfe5}\SETB76.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4cb5e802-d188-0841-8ce5-417f1fe1cfe5}\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4cb5e802-d188-0841-8ce5-417f1fe1cfe5}\SETB77.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4cb5e802-d188-0841-8ce5-417f1fe1cfe5}\SETB77.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4cb5e802-d188-0841-8ce5-417f1fe1cfe5}\NPCAP.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.79.exe
File created	C:\Windows\system32\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.79.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4cb5e802-d188-0841-8ce5-417f1fe1cfe5}\SETB76.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4cb5e802-d188-0841-8ce5-417f1fe1cfe5}\SETB78.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\npcap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_7e15104413fda30a\NPCAP.inf	DrvInst.exe
File created	C:\Windows\SysWOW64\WlanHelper.exe	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	NPFInstall.exe
File created	C:\Windows\system32\Packet.dll	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.79.exe
File created	C:\Windows\System32\DriverStore\Temp\{4cb5e802-d188-0841-8ce5-417f1fe1cfe5}\SETB78.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	NPFInstall.exe
File created	C:\Windows\system32\NpcapHelper.exe	npcap-1.79.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nmap\scripts\irc-unrealircd-backdoor.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\bits.lua	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\fcrdns.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\creds-summary.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\dns-nsec3-enum.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\bin\libffi-8.dll	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\etc\gtk-3.0\im-multipress.conf	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\cassandra-brute.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\xmpp-info.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\genericpath.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smtp-commands.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\importlib\resources\_legacy.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\unittest\loader.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\targets-ipv6-multicast-slaac.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ssl-known-key.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\gdk-pixbuf-2.0\2.10.0\loaders\libpixbufloader-png.dll.a	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapCore\__pycache__\Version.cpython-311.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ip-geolocation-geoplugin.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-traceroute.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\enip-info.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ms-sql-dump-hashes.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\ls.lua	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\big5.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\cp875.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapGUI\higwidgets\higscrollers.py	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\broadcast-sonicwall-discover.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\multiprocessing\sharedctypes.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\radialnet\bestwidgets\__pycache__\labels.cpython-311.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\share\glib-2.0\schemas\gschema.dtd	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\iscsi-brute.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\weblogic-t3-info.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\mac_croatian.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\mbcs.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\omp2-brute.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapGUI\__pycache__\ScanHostDetailsPage.cpython-311.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\iso8859_5.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\radialnet\util\__pycache__\integration.cpython-311.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\bitcoin-info.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ldap-novell-getpass.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\koi8_t.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapCore\data\pixmaps\ubuntu_32.png	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-vuln-cve2013-0156.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapGUI\__pycache__\App.cpython-311.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\telnet-encryption.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\mcafee-epo-agent.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\snmp.lua	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\radialnet\__pycache__\__init__.cpython-311.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nmap-os-db	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\socks-auth-info.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapCore\__pycache__\I18N.cpython-311.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\multicast-profinet-discovery.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapCore\NSEDocParser.py	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-vuln-ms17-010.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\pjl-ready-message.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\lib-dynload\_sha3.cp311-mingw_x86_64.pyd	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\radialnet\gui\__init__.py	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapCore\__pycache__\UmitDB.cpython-311.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\zenmapGUI\__pycache__\ScanInterface.cpython-311.pyc.1739358768096	pythonw.exe
File created	C:\Program Files (x86)\Nmap\scripts\nbns-interfaces.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\ajp.lua	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\girepository-1.0\GLib-2.0.typelib	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\site-packages\gi\overrides\Gio.pyc	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-method-tamper.nse	nmap-7.95-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\rtsp-urls.txt	nmap-7.95-setup.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\nmap-7.95-setup.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npcap-1.79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexpress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	makecab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ncat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap-7.95-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93f4a2182702dcb81cc63506ffb8f185_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ncat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ncat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Checks SCSI registry key(s) 3 TTPs 38 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\nmap-7.95-setup.exe:Zone.Identifier	firefox.exe

Runs .reg file with regedit 1 IoCs

pid	Process
8992	regedit.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3600	pythonw.exe
7172	pythonw.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
8920	NPFInstall.exe
8920	NPFInstall.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
7252	powershell.exe
7252	powershell.exe
7252	powershell.exe
5432	powershell.exe
5432	powershell.exe
5432	powershell.exe
3036	powershell.exe
3036	powershell.exe
3036	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
8188	powershell.exe
8188	powershell.exe
8188	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	692	firefox.exe
Token: SeDebugPrivilege	692	firefox.exe
Token: SeDebugPrivilege	692	firefox.exe
Token: SeDebugPrivilege	692	firefox.exe
Token: SeDebugPrivilege	692	firefox.exe
Token: SeDebugPrivilege	8920	NPFInstall.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	7252	powershell.exe
Token: SeDebugPrivilege	5432	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeAuditPrivilege	8424	svchost.exe
Token: SeSecurityPrivilege	8424	svchost.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	8188	powershell.exe
Token: SeIncreaseQuotaPrivilege	8188	powershell.exe
Token: SeSecurityPrivilege	8188	powershell.exe
Token: SeTakeOwnershipPrivilege	8188	powershell.exe
Token: SeLoadDriverPrivilege	8188	powershell.exe
Token: SeSystemProfilePrivilege	8188	powershell.exe
Token: SeSystemtimePrivilege	8188	powershell.exe
Token: SeProfSingleProcessPrivilege	8188	powershell.exe
Token: SeIncBasePriorityPrivilege	8188	powershell.exe
Token: SeCreatePagefilePrivilege	8188	powershell.exe
Token: SeBackupPrivilege	8188	powershell.exe
Token: SeRestorePrivilege	8188	powershell.exe
Token: SeShutdownPrivilege	8188	powershell.exe
Token: SeDebugPrivilege	8188	powershell.exe
Token: SeSystemEnvironmentPrivilege	8188	powershell.exe
Token: SeRemoteShutdownPrivilege	8188	powershell.exe
Token: SeUndockPrivilege	8188	powershell.exe
Token: SeManageVolumePrivilege	8188	powershell.exe
Token: SeImpersonatePrivilege	8188	powershell.exe
Token: 33	8188	powershell.exe
Token: 34	8188	powershell.exe
Token: 35	8188	powershell.exe
Token: 36	8188	powershell.exe
Token: SeIncreaseQuotaPrivilege	8188	powershell.exe
Token: SeSecurityPrivilege	8188	powershell.exe
Token: SeTakeOwnershipPrivilege	8188	powershell.exe
Token: SeLoadDriverPrivilege	8188	powershell.exe
Token: SeSystemProfilePrivilege	8188	powershell.exe
Token: SeSystemtimePrivilege	8188	powershell.exe
Token: SeProfSingleProcessPrivilege	8188	powershell.exe
Token: SeIncBasePriorityPrivilege	8188	powershell.exe
Token: SeCreatePagefilePrivilege	8188	powershell.exe
Token: SeBackupPrivilege	8188	powershell.exe
Token: SeRestorePrivilege	8188	powershell.exe
Token: SeShutdownPrivilege	8188	powershell.exe
Token: SeDebugPrivilege	8188	powershell.exe
Token: SeSystemEnvironmentPrivilege	8188	powershell.exe
Token: SeRemoteShutdownPrivilege	8188	powershell.exe
Token: SeUndockPrivilege	8188	powershell.exe
Token: SeManageVolumePrivilege	8188	powershell.exe
Token: SeImpersonatePrivilege	8188	powershell.exe
Token: 33	8188	powershell.exe
Token: 34	8188	powershell.exe
Token: 35	8188	powershell.exe
Token: 36	8188	powershell.exe
Token: SeIncreaseQuotaPrivilege	8188	powershell.exe
Token: SeSecurityPrivilege	8188	powershell.exe
Token: SeTakeOwnershipPrivilege	8188	powershell.exe
Token: SeLoadDriverPrivilege	8188	powershell.exe
Token: SeSystemProfilePrivilege	8188	powershell.exe
Token: SeSystemtimePrivilege	8188	powershell.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
3600	pythonw.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
692	firefox.exe
5976	nmap-7.95-setup.exe
6356	npcap-1.79.exe
8920	NPFInstall.exe
8476	NPFInstall.exe
8828	NPFInstall.exe
2952	NPFInstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4200	4060	93f4a2182702dcb81cc63506ffb8f185_JaffaCakes118.exe	81
PID 4060 wrote to memory of 4200	4060	93f4a2182702dcb81cc63506ffb8f185_JaffaCakes118.exe	81
PID 4060 wrote to memory of 4200	4060	93f4a2182702dcb81cc63506ffb8f185_JaffaCakes118.exe	81
PID 4200 wrote to memory of 4492	4200	cmd.exe	82
PID 4200 wrote to memory of 4492	4200	cmd.exe	82
PID 4200 wrote to memory of 4492	4200	cmd.exe	82
PID 4492 wrote to memory of 1192	4492	iexpress.exe	83
PID 4492 wrote to memory of 1192	4492	iexpress.exe	83
PID 4492 wrote to memory of 1192	4492	iexpress.exe	83
PID 3800 wrote to memory of 692	3800	firefox.exe	96
PID 3800 wrote to memory of 692	3800	firefox.exe	96
PID 3800 wrote to memory of 692	3800	firefox.exe	96
PID 3800 wrote to memory of 692	3800	firefox.exe	96
PID 3800 wrote to memory of 692	3800	firefox.exe	96
PID 3800 wrote to memory of 692	3800	firefox.exe	96
PID 3800 wrote to memory of 692	3800	firefox.exe	96
PID 3800 wrote to memory of 692	3800	firefox.exe	96
PID 3800 wrote to memory of 692	3800	firefox.exe	96
PID 3800 wrote to memory of 692	3800	firefox.exe	96
PID 3800 wrote to memory of 692	3800	firefox.exe	96
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97
PID 692 wrote to memory of 2336	692	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\93f4a2182702dcb81cc63506ffb8f185_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\93f4a2182702dcb81cc63506ffb8f185_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7EF4.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\93f4a2182702dcb81cc63506ffb8f185_JaffaCakes118.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1192

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1900 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87d8d6ee-998c-49a9-a956-902e34f1aa0d} 692 "\\.\pipe\gecko-crash-server-pipe.692" gpu
    3⤵
    PID:2336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6171a71e-744c-42fe-9bd1-f1660ca6c9f6} 692 "\\.\pipe\gecko-crash-server-pipe.692" socket
    3⤵
    PID:2032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3212 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3048 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebacb635-3cfd-45f4-9f84-ba5a23deb9f2} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 2 -isForBrowser -prefsHandle 2936 -prefMapHandle 2840 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {795321ca-0e86-4291-a03a-124268c10698} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:1900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4328 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4356 -prefMapHandle 4352 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f3ce4e4-13b2-4b3d-813e-eab9c6b0b897} 692 "\\.\pipe\gecko-crash-server-pipe.692" utility
    3⤵
    - Checks processor information in registry
    PID:1056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 3 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {485a246e-0e50-47cc-9509-97532c4bc680} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:5728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 5580 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acf3b9bb-6ec3-4b37-b5c4-94f34e8d6eab} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:5740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6af29b0a-8166-4415-a758-e959678014d2} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:5788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6396 -childID 6 -isForBrowser -prefsHandle 6384 -prefMapHandle 6372 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05b191f6-f8dd-44ed-b4c8-a4c64567f290} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:4608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 7 -isForBrowser -prefsHandle 3244 -prefMapHandle 3264 -prefsLen 27949 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3557fa0a-9221-4fb5-a654-d5bc48238a41} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6812 -childID 8 -isForBrowser -prefsHandle 6784 -prefMapHandle 6796 -prefsLen 27949 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4a80d9f-8a66-412e-a8c3-c45c91370ebb} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:5736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 9 -isForBrowser -prefsHandle 6232 -prefMapHandle 4312 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {678a91d1-be6a-44f7-8045-8cbe1d9355b3} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:5428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6484 -childID 10 -isForBrowser -prefsHandle 6452 -prefMapHandle 6404 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38999d85-92d4-4d37-97be-d298f835e493} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:1752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7356 -parentBuildID 20240401114208 -prefsHandle 5152 -prefMapHandle 7352 -prefsLen 30524 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba6a94eb-56ae-4774-bc8d-5fd399a76af3} 692 "\\.\pipe\gecko-crash-server-pipe.692" rdd
    3⤵
    PID:1436
- - C:\Users\Admin\Downloads\nmap-7.95-setup.exe
    "C:\Users\Admin\Downloads\nmap-7.95-setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5976
  - - C:\Users\Admin\AppData\Local\Temp\nso70CE.tmp\npcap-1.79.exe
      "C:\Users\Admin\AppData\Local\Temp\nso70CE.tmp\npcap-1.79.exe" /loopback_support=no
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:6356
    - - C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\NPFInstall.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\NPFInstall.exe" -n -check_dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:8920
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43){certutil.exe -verifystore 'Root' '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43}}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7252
      - C:\Windows\SysWOW64\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -verifystore Root 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
        6⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:8444
    - - C:\Windows\SysWOW64\certutil.exe
        
        certutil.exe -verifystore "Root" "0563b8630d62d75abbc8ab1e4bdfb5a899b24d43"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8512
    - - C:\Windows\SysWOW64\certutil.exe
        
        certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5432
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25){certutil.exe -verifystore 'Root' '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25}}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
      - C:\Windows\SysWOW64\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -verifystore Root 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5504
    - - C:\Windows\SysWOW64\certutil.exe
        
        certutil.exe -verifystore "Root" "5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8840
    - - C:\Windows\SysWOW64\certutil.exe
        
        certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8420
    - - C:\Windows\SysWOW64\certutil.exe
        
        certutil.exe -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\signing.p7b"
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:8392
    - - C:\Program Files\Npcap\NPFInstall.exe
        
        "C:\Program Files\Npcap\NPFInstall.exe" -n -c
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8476
      - C:\Windows\SYSTEM32\pnputil.exe
        
        pnputil.exe -e
        6⤵
        
        PID:5676
    - - C:\Program Files\Npcap\NPFInstall.exe
        
        "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8828
    - - C:\Program Files\Npcap\NPFInstall.exe
        
        "C:\Program Files\Npcap\NPFInstall.exe" -n -i
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2952
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8188
  - - C:\Windows\SysWOW64\regedt32.exe
      regedt32 /S "C:\Users\Admin\AppData\Local\Temp\nso70CE.tmp\nmap_performance.reg"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8048
    - - C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\nso70CE.tmp\nmap_performance.reg"
        5⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:8992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8800 -childID 11 -isForBrowser -prefsHandle 8804 -prefMapHandle 6420 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e0556fa-931c-4c64-afd7-7ad1a0a49773} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:5032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8808 -childID 12 -isForBrowser -prefsHandle 8936 -prefMapHandle 8940 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b1a16d1-d2d1-4e69-ab3a-b7188fbcff95} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9664 -childID 13 -isForBrowser -prefsHandle 9656 -prefMapHandle 9652 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {295617c1-d0fa-4bf0-bd0c-907472378d77} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:6076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9692 -childID 14 -isForBrowser -prefsHandle 9724 -prefMapHandle 9612 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b281294e-8f62-43bc-a9db-6e29a2c80310} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:4644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10788 -childID 15 -isForBrowser -prefsHandle 10800 -prefMapHandle 10492 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73256518-84da-46d3-9c83-ce37436f70ed} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:4740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10904 -childID 16 -isForBrowser -prefsHandle 10912 -prefMapHandle 10920 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d28e964-2a2d-4aa0-9dd4-32f8ed470144} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11108 -childID 17 -isForBrowser -prefsHandle 11188 -prefMapHandle 11184 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29bab749-a1a2-43a0-b7a6-e6715022ee81} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:5144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9932 -childID 18 -isForBrowser -prefsHandle 11424 -prefMapHandle 11412 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8efc07fd-a416-418d-9964-407b71b153d4} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:1548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11444 -childID 19 -isForBrowser -prefsHandle 11436 -prefMapHandle 11432 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bccb7ec2-3bad-43ba-b7cc-1e12bdffd82d} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:3080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11664 -childID 20 -isForBrowser -prefsHandle 11824 -prefMapHandle 11820 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {505511f6-8c24-401c-a5de-a70c23754290} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11940 -childID 21 -isForBrowser -prefsHandle 12016 -prefMapHandle 12012 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38fdd0a5-f813-48fb-b5b2-f84fc1fc8940} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:3416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11664 -childID 22 -isForBrowser -prefsHandle 12028 -prefMapHandle 12024 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00a808cd-0c11-4495-970f-7e8ecd3e6722} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:2596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12220 -childID 23 -isForBrowser -prefsHandle 12328 -prefMapHandle 12116 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaf22d25-d65b-43bd-a75e-75617768d8c2} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:5536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12572 -childID 24 -isForBrowser -prefsHandle 12644 -prefMapHandle 12640 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d50b34eb-6695-42b0-9a26-cce3ca52aab9} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:3148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12752 -childID 25 -isForBrowser -prefsHandle 12760 -prefMapHandle 12764 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ade2eff-46fb-4b52-8772-d14203aaa87e} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13028 -childID 26 -isForBrowser -prefsHandle 12952 -prefMapHandle 12956 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b502b0d-a89b-47d7-b5c3-cc2bb209ec3d} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:3800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13484 -childID 27 -isForBrowser -prefsHandle 13352 -prefMapHandle 13356 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cb1f5f4-d9ca-45f0-a719-300f9ad9debd} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:1536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13228 -childID 28 -isForBrowser -prefsHandle 12604 -prefMapHandle 12920 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2b9dd52-47e9-4898-9005-7fe1e59dde65} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:3812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12588 -childID 29 -isForBrowser -prefsHandle 12596 -prefMapHandle 12600 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d323952e-de93-4ce2-9437-ebf97b357952} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:6228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13652 -childID 30 -isForBrowser -prefsHandle 13660 -prefMapHandle 12764 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17e29187-912f-4b19-840a-41cf7efd395d} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:4728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13124 -childID 31 -isForBrowser -prefsHandle 11128 -prefMapHandle 13136 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9181316f-6c9f-435a-90fe-40f56c41c866} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:5300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13840 -childID 32 -isForBrowser -prefsHandle 13852 -prefMapHandle 13928 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e540346-0278-42bc-94df-734af71ea10a} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:6612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14172 -childID 33 -isForBrowser -prefsHandle 13904 -prefMapHandle 14164 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17e92e98-f1ca-4e5e-b657-94f32ffdf4ff} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:7304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13852 -childID 34 -isForBrowser -prefsHandle 14164 -prefMapHandle 13904 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90381072-fed1-4dbe-b255-6ca5f120750a} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:7524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14368 -childID 35 -isForBrowser -prefsHandle 14324 -prefMapHandle 14320 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b13c31-94a4-49ed-abb6-6a286914f4ee} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:7532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14564 -childID 36 -isForBrowser -prefsHandle 14476 -prefMapHandle 13852 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aeb9f1b9-ad7c-4639-91ff-c46286ae9105} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:7628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14600 -childID 37 -isForBrowser -prefsHandle 14592 -prefMapHandle 14568 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a45fa08-70cd-44e2-b8e5-47c41b4433df} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:7648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14916 -childID 38 -isForBrowser -prefsHandle 15228 -prefMapHandle 15248 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78fdb5cf-b6f4-421a-a8d1-3a2998e73a86} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:7924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15056 -childID 39 -isForBrowser -prefsHandle 15044 -prefMapHandle 15220 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcec8441-93bb-4cf3-bec6-b6dfce2576ed} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:7820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7012 -childID 40 -isForBrowser -prefsHandle 9192 -prefMapHandle 14116 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a35c45ca-cb66-41ac-85a4-472ca98b50ec} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:9084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9064 -childID 41 -isForBrowser -prefsHandle 9040 -prefMapHandle 9056 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81cf306-3a2f-4bb2-a666-2ceb29e47694} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:9092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8920 -childID 42 -isForBrowser -prefsHandle 9080 -prefMapHandle 9028 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9503760-5501-4496-8654-82ce4d87a574} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:9104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15280 -childID 43 -isForBrowser -prefsHandle 14160 -prefMapHandle 14564 -prefsLen 27989 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {079ed8d3-d108-43bf-8c49-5dbe97f3936a} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab
    3⤵
    PID:9328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:8424
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{ed649967-ee68-2f43-b7e3-15e3bc36b7ad}\NPCAP.inf" "9" "405306be3" "00000000000001CC" "WinSta0\Default" "00000000000001E4" "208" "C:\Program Files\Npcap"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:8516

C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe
"C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe" -c "from zenmapGUI.App import run;run()"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:3600

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:10164

C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe
"C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe" -c "from zenmapGUI.App import run;run()"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:7172

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4632
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -l -p 443
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9220
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:9416
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -l
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9632
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:8840
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9724
- C:\Program Files (x86)\Nmap\ncat.exe
  ncat
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8500
- C:\Program Files (x86)\Nmap\ncat.exe
  ncat -l -p 443
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9856

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:8508
- C:\Program Files (x86)\Nmap\ncat.exe
  ncat -l -p 443
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8940

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:10160
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -sT -p 443 181.215.176.83
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2440
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:8992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Npcap\npcap.cat

Filesize
12KB

MD5
851cc374a87e0a83956a29c762c008c5

SHA1
1f1c907e687631c551caaaffb0de28dfcfb03c01

SHA256
f05d0dfba14aceb7cb27b49ec8c4f1ce179813e0cf89a32855d7ea2fda91e124

SHA512
260c822dbb2fd53cec2ad352e97a42a665fc030de9cf0b223fed3a945822ccbd7e0e12fa0873646aaf38f5f7b93428f29c0bed3709fbaaa83a3dab6dc39a2dc7

Download Submit
C:\PROGRA~1\Npcap\npcap.sys

Filesize
68KB

MD5
1637086aa0ba4637d2788dc20a0cc67c

SHA1
4628fe7561526714361764ec637339b21ea88b60

SHA256
734c62543768e37c36386b4a07582bb5b322a60d5c997626465725c5b5cef978

SHA512
92fb3dd73873ef8a888823f14911f52fe7c11a06bf4172929783a3f3106ea6298d660389cfca902153424b8df64fbe9dc9c5651228d5eb72a650655df21f7cdc

Download Submit
C:\Program Files (x86)\Nmap\zenmap\bin\libgcc_s_seh-1.dll

Filesize
125KB

MD5
95afa46407017461a27d12ea57394db0

SHA1
a99f05f98fceb0668c72353aaaef2d9b32ce91fb

SHA256
fd8552152c052b7558d073bba4f67b8d72d25005c522194f48adb6dcb3f8d633

SHA512
f4d9165264ea8af976c4b95691980a1c75ab2d4977fcdad6211431d4bfb61d66ce916da631b2b433e46223eeaaf88bbc492e00740f12d6832ef49b7d48d2cccd

Download Submit
C:\Program Files (x86)\Nmap\zenmap\bin\libpython3.11.dll

Filesize
4.5MB

MD5
d80e839b95539429129827358222d60a

SHA1
91d360f28f66193c574276658b19c5dac5b590a2

SHA256
2c6086c81ebd8592ec242f478e7ec5ee94b4490d1a77e705c012121f5acbcffc

SHA512
62b11ec5c5afe3556f27df6161154b93ab56b580629028ef3c65f1cc051292dfe76443c5e8d2993bb9c0b0a5488b8b3fc9e5fe5c197fd2c561739d57a2be3f2e

Download Submit
C:\Program Files (x86)\Nmap\zenmap\bin\libwinpthread-1.dll

Filesize
69KB

MD5
759c00747c7e3cc0fa1170ab05935ce8

SHA1
92897670fdfc6207cdde17bdae21cc2d480e8b41

SHA256
5be1262229ba4082a2dbde47ec205833f3f1db069694947ce0f78f7daa774dd4

SHA512
4e2b9a1a9b3f2719f7dfda58871db54680674c2f15c54763a3ae21ba8bedb26afd2720c4d9ec9e142a0111247e20f825803ef2aa0cc7e9afe1c0eab745114374

Download Submit
C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe

Filesize
105KB

MD5
300c50efe729752e96e5bb8dbd9ae8e6

SHA1
2197fa748635f6192d3e3bdc2a454f2e2fe442e5

SHA256
0a8aa4319ecb5106bfdaa45a1d5effbfd71173cf30fa284906a4437f8a0c644d

SHA512
c8a4bfb38cdfe80e0900acbc433cb20f175a3155faf4e01fadc6b6f7775dbab09e9af0e400414a33f94e8655022503ab694e6a9ea37771f6867bdb8cd512b586

Download Submit
C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\__init__.pyc

Filesize
6KB

MD5
d22e31a09a70bd8a80d5eb7bef10fa8a

SHA1
c8cd1c35b15c90f031d438b0da4dbf7d0b68ca43

SHA256
05e331a442ad9d94d79c73e1262448df812e2179ecb07e84c55a9bdce1f1e5ab

SHA512
013623b30d00fcde0f3e75754f42239f337d220f298e38a0825c7e8e7da85234a4e902c7e04c8954e57c33392d83d8f13aeaa42fe34e1ab880aa2b9cc5fd270f

Download Submit
C:\Program Files (x86)\Nmap\zenmap\lib\python3.11\encodings\aliases.pyc

Filesize
12KB

MD5
c07b5c79f4e331fc2f1a61c97f314cc0

SHA1
97482ab33e9b94c84be33466f4b20886500a84c2

SHA256
5bf257fb777dc4d3889790a7b73746ac9533ec2a3829340a1d820d4fd6657670

SHA512
ef3269d4ba707b347733592b23b3d24f05144d548222840557f15fced06db64675effbf5e6ba5b34a32b497d9b156eb340cafd68520645cf008bf6b6505014ab

Download Submit
C:\Program Files\Npcap\NPCAP.inf

Filesize
8KB

MD5
ed7304fce3f5e3de28435d3f9e8b4156

SHA1
45bc86c10386c9368ac482f341999a289dd46897

SHA256
64be5edac3eba224120138c6dea3e4a75740e23324fba5a0799499402d96a258

SHA512
d7532a12b726869e430745da536b7e1e85ce5871bbf3c3cf5fb4261f5b3d5d4307e6267a8b5f53a6719369e261c66c85c05f3941974594ae4864b16242cae41b

Download Submit
C:\Program Files\Npcap\NPCAP_wfp.inf

Filesize
2KB

MD5
8ca4504e8e9b66d925107a8f13d9babb

SHA1
a1d34e2a6e9ce395da0702a9b1e1ec815dc144f0

SHA256
d1b2726787010252e4dec2a1a47fdd42d86b917c9c41f8baab2219de938b90cb

SHA512
4c3fe98134c6e7c180829f82374b22ab052e1cadd2d2ff71ff6eefa4e2a7ff21b8bff14ff21677099d2656a0c216c40abb9246860e70be9f254d73d58b624c38

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
8KB

MD5
80ddd9bc98743b7a011552bf240281ad

SHA1
d2139fd6c0927bf43f9095434d2842d636470ba3

SHA256
3bb176b8599f1d97673b79ed008a44419bf2e4aabba3b66e7cf70012d780d644

SHA512
b7a1c5e00f0e92d87abfe7aa58d995f7d3a953fef0fed3f3d38afeaaaef48b4db374408526c715029040d9fa64258f1532673baa8029a0d6372121a7f734f787

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
11KB

MD5
00e38290c84f02846b9f704649ddc7d0

SHA1
304c8e1511c927e88e9ed4e28c811158da5554ee

SHA256
8407ae3e805a3158b7499bcae55c9338d3d0b789ffbf1bddcd4cb64ab6a64d3e

SHA512
d6e0aecc89e6eb001a925ccf5aa6c308019bb44b94bd39a9b16b5082672bab3a766377ff4e49229dff50b32ea784090a8874f108e312a3dd5ccb1fe4e6f656a2

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
13KB

MD5
cbd116fe4469fb54f144e3acf3126c1e

SHA1
6f92da78131fe35ec00a958f3c7f2b500cb755f6

SHA256
18e7c63154780afd28c7e3edfc7612dc13586ff47429ea4ac89ac07c9055e789

SHA512
bfa4142b0faf6a021b73773854aa4fa85bf14b41ec523a0a70cd68b1fd0762f797f91a909074400272d5f263b448bdd78945afc96c9cbc0611a243f548fd8535

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
13KB

MD5
a41ad4213e53a8e47f77d0734a001309

SHA1
78faabb7c77b362cf7bf230d19064c6affdd37f2

SHA256
6e110a0d64eeaf419c5d06f3a91238e9bc6dc0586183baa85115a222ffdf1e6d

SHA512
b61bf847e3d0e73ba6314e32f59fe05fe0ad7fd7e774385597266784ec99e2e20b72d142bedd9ddb66f1d44bdb9409d914ad79ed9f0533fe12620251650af9df

Download Submit
C:\Users\Admin\.zenmap\scan_profile.usp

Filesize
1KB

MD5
0be64556263f7e7085fa1fd226c9a65a

SHA1
71d87e4ba660a627e8c4d5afc5b0d10fead10443

SHA256
c9854d1d6e4dd51efb7e9cd59a5672ecd96c07ce63d0311368dcc392d0e39e36

SHA512
6f926ae4a516a82fbff8c2255ce0d7b7ec7e82dfbc0cd394ee5522929cad7c51200aa70da54fc9ec65323440753d67a186a39eec7e6295a3e16e2482d6ef6d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
5ac89286a052281c1f0436f0ee73c242

SHA1
4aa0b9e296e8376c3fe000da7e423b73e83a5951

SHA256
f17caa2c7a6de687e6c923ff559d39cf3e3343e74a9c6d848b67739ca9bd2eea

SHA512
c7e58fd6932bd0c82b848c31c9f54e95a323a9c8af7200f5973d99da5500c1780e62d74933a887f2053c5921f7d52d9c0e24bb31a24c51f012d59eea593c6a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
2fbbc972cf47c0fc6158602b964278fa

SHA1
c8c6c4fb43dcfd318221391a17a4b458ae7c49ab

SHA256
d9b4f4d377dce9b4c5388d0d77fec8be5b66822422283f0fc4fb0b85613c55a8

SHA512
4b3c85d855e8223048c5d340ea370ebe393cfa4904a43631b2ad6c0a96f3ef0f3226b574cf8fd698dd906d545b1d1422f85ee9bbfe0aa379333d915567dd71f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
8d9994a7c038a6d3dace5ff5f4531181

SHA1
31861a288480770edb3cb72512fbd185f59fe0fc

SHA256
4164129e1b3cdc4eb4bc1031efecc62d96a8d10a0b996f8867c297f0cfda2ee0

SHA512
491360d26c25ed84d88d4dae2d0174cb49829c5695086607c4ab6247751887b827a8ca8e56efd2df0eaac188e2bd163e7153186f6dd44428fb25a2d3301da2ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
dcba3574dc15089272bc664827d51ef7

SHA1
0bd7d637ffce5e8a09bf5914d6a1b3810f2b710d

SHA256
35bbad79fbc6a0001b95ed916c4a5dc6309ff6b7944c84194186d85576d33e68

SHA512
74b2e75a34beb7eb3df6be951d296f2a5b6bd80a45bffa93280640ef4a9ad170afc7481acea7c5366b00db73675a07bad4571c27389e48ffb632a8d88041f84a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
7458eed20a0b233d973473a823f1ec58

SHA1
5faf1f02120c12d2a663fae7bdee2ff355314bb3

SHA256
5676ff43575f3cb2f74093b663ab37b9e20511a6a3a0e4a8f1e061be64a8c6fb

SHA512
9085a2393a35a698cda21efd8361404d87dc18c8202567ab7ddc7864d8188bc1eb535bbec8a5f0ad5f104cfdee1c0f2ffd67408439a82c86ff381b2937d5e44a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
cf72ecf2ecf22b6559ec4de08eabeda5

SHA1
0f1aa5affbc3c328480d8908b5157abf0369e68f

SHA256
3d93721fd17754a145ecaf10e2e94d5f57237c1b2ce4523cc52fbbb0a32606b8

SHA512
4fe846331b84724113b223aa3437a20c38cfb09626e799f161cfc3a51b47c47d6968a60f15aa35e85439b8d90f9947df03256b458fc7c361a9f8362adb2abad4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
29533e42c0fd902ed03d9a2ad93b032d

SHA1
7a7e617ad8bdf5be859e823bf6d215eaa018502c

SHA256
3101e0db3a3558b198f9a73272ef445888daadfc43bb2331622bd9e113d8cc0c

SHA512
6e50015f2c8f339b41c5f4d4ca40f08385b9f844828d2354115f96ac9f9ad9933a502414b3ecf3819d679b5403d46bc5c53fbab23e3e9f513d2eb45af9c76001

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\doomed\4841

Filesize
13KB

MD5
44f29f7211d5d16777d14d9df4afbf6b

SHA1
bf34dbabee346b7102f6ee71892be2c131e1ab7f

SHA256
f8f6884b39281cd56ff795123a31a41127e6cdb857f7b078fac08480a0ce0fb0

SHA512
0119581051e2328ec07c3b7a485e1707c305403c591af7758336f3a1676bac13ea53dc77ba8ffff5f7b78d153fa52af250f602aa15987c9b0c5cb9efc82b467a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\doomed\902

Filesize
25KB

MD5
c01d64e4180dbc9164f4594aecc17dc6

SHA1
864224ff1f4ff74bf40e3d0dabc6f011ef8f39af

SHA256
a8e8074574f4065a6475d975827add171a0a3f782e9e73756e643348db111b0f

SHA512
98e9345f3d3563caa5b6eae2d9d534afc1d263e07231976acebc697e1607d7bcf4e21b59fe1b5c4ea2193168c914986e410d3daf0eba41b62c62999b778afd12

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\19BD8563A565A34584266FFE5ECBFFCEAE2904FA

Filesize
408KB

MD5
204e048e4b8a08af95733d0d7fdbe5f2

SHA1
3db6dd776ddddedce5de5d1253a59e10edb791db

SHA256
5753ba3cfce5f9814ca26a09ea64b454fef860fe5842ecdf5d2d23ad2cc1e3e1

SHA512
cd409869c9e571699e4389aaed937b4883e288b21127ca06b631e67826b631544c906ff9876b6f4a7dacc89ebde64551f5b3804d1eef56d6c17603b0a19d928f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\21AAD37F904BD486005AC37D04F29784AC34E42A

Filesize
224KB

MD5
d6652e5c17606ed0f538cdcf5dd4226a

SHA1
038c1110b6eb7614c883808d3b451234624249ee

SHA256
9db03ec7d88f7a1fd151ff6d1622d3a560a9aeee1cd80387a98df0df3c03032a

SHA512
62fdee5b155b6a06c1c65dae129a1238868161ee86a36ab7e9acc402649ac8aaffef47f3502984e8608a236226dd27cc24e7149369be9acd9bffbe2992c3c020

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\38EEC9C054A68E6A6BDF7B3FE4E840C27BD37EB3

Filesize
144KB

MD5
c9aadcb0b524c9f2968938ec8f823a6b

SHA1
b972fa6efe681fd61028c8702ff39cf7b16b5eb4

SHA256
f2272be30a1892091797a3f90706606573aea177688199cf1a38138551030cae

SHA512
ab7e2aa15aa3da323d3bf8c2591d361928fb095ca298a926633d086d223799f4d5de2f0f7ede6b390df86d4ac0399032c233baa3747f91cc2e744e4fb3065387

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\50A9D7DE194B4AC9BC5603FC24DB803494A970E9

Filesize
76KB

MD5
2bd183a265ef0e8ead8610ab15e4d5f4

SHA1
1611da494c721064c25aff576317d9bc9fc0ec29

SHA256
d06f13cd7ace8a0e487d4c58061bf388fdfa57675ff66329e6afe9930e52f480

SHA512
4dabdbc5052035fc89f5edd919ca59b9fc9b0f0ab503afd307e8dd0268f4ddb1c18f4e284e2104fb2a58eaad7a6a1dc23b4a4bdb17af5161c90e295a1fec60a2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\541259D0E21E8A8673EDE1F23B088B49A068648F

Filesize
81KB

MD5
edaac66038ab3bae7d30fba55867d1bc

SHA1
123c0203a24835472f49531795b23ec50a924cb5

SHA256
93a5f2a10bc5e0d88604895bfa2f52d5d51c54a073145803a330ebb711b002cb

SHA512
e96eeb17b7260093262ff10e142d89f83bc24e5e83d4f4f416aabcf8ed8b3cff0c818b7b7b66248d61e6fd1005a6fb8b6c06588a5af1b1d95767bca5d8be012a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\5617C2BB77122AC13DC0FB65336A8386EC872F9E

Filesize
21KB

MD5
b94171e6dc6a21bc66933aa04dc447f1

SHA1
cf2837151e9345fb39e5a1bff4e404511a5f2540

SHA256
88214159e51b662a6e99e3c788b478ff4fc1836e1e3478cb215725c65dc450f2

SHA512
24523f1a3f5eb290067f3947f41231ec342a403396a56e32691ab0782a592d805f9506e27c1d26c8b75a8180233e6c20ab8bd3f9af2df50f8cc98c0a1431cb5d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

Filesize
32KB

MD5
9205341f3132fce90fe5b78af8efc7fd

SHA1
cc13065fc959f45d57752c185e0aa1b1487505ec

SHA256
91ab828564d947299142ee269ea88fa3ab1dd69b78cc98e6e6eee17f826fab64

SHA512
2c41c2f23a6f21ecac50f9710751ed4b827be531086d1abd4324825680f3c6920f9f95e3617fd52ad2b3b29466e41050d348c9b688e6271e774fa40a52fdc3b3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\82EAA571D14A59FA33DEAD5112170FE06FD0C031

Filesize
140KB

MD5
09ed2b150c9eca5aafbe464f8fee1b27

SHA1
c3c2fab9a19d0501efe39a279c61c05aac9b4ad8

SHA256
beb53052f50581af46aad89214fba16a63207bfaffb060526f3f6a401a4504bf

SHA512
49c37b2a13c5435e40943ca6f10464ca31136c462c9493ae0812d89dfb5f7498e9254137debe2d8dbd38b29ec8c8377660ab1dbac2def0ccf77ed62e0e314e6b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\8888620FCCCF2F0CD3024569BF10FE8A2F51F649

Filesize
509KB

MD5
0bc05c2d11ed955998032156eaba746c

SHA1
080148d62afc7d6ef1a8abfd984938797989c75a

SHA256
42685ef56d761a3a69097a4f57b3aaa2d37b356b2c6df916a329d4c7384a4e24

SHA512
4cc81f0337fc9b67bbded76188ecd3cdbbb86daf97869b73c6f0892b382c199d9492a4da579a0a03e1f26f50f4ab6d55f2004a6f808350424f67b178c7943911

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\9EDB102A6A63768E8329FFDF578D03BE7AF05680

Filesize
152KB

MD5
cbb9cdd7fbb59a47627757fd5b842597

SHA1
628068c64ddb2ed92a85d64a1ea7e5b9c58894e9

SHA256
9f50ed9851e1461d586117718dcf32d11739a8c71c7a05bcb7ccbb95259f7233

SHA512
f82b500512e9bc4892f59ff99ffec359a129b051a6658c39b9eb18efbd02a90543fdccb55e06f72dda1c2458307b652cd0aa57f415c491507f06f7e2f8071cba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\B6BCD1F644CF51E38C25E82F1D06AA95899630C0

Filesize
15KB

MD5
efc2c2131f9c0ec4a219464e884278f0

SHA1
acd8647aca35b0b380ed8e8226f5a6dadffd4849

SHA256
3165894dbae1bb2bdb5d9dce49687b97e78698c04fcac9966b3fee2fdeb43923

SHA512
3ae97e6dd27785e72f2dc4fecb16bbf2737dab57ac8abc885f4f5b3614f68f225821d6cc6d3fe09399eacc3189ad6fac2130e2e24b8c537d8d4d4c87102d6f7e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cache2\entries\F4197DDE65DD589ED46A60BD5676973DA5C2531C

Filesize
22KB

MD5
568353be619d30fbbd375e9cf6ecdbbb

SHA1
9d8afdc634069c77caab725791842722cf0a8a57

SHA256
7ece407f474744483b21c3112021fa71f4c217d625df8659dcf322042f67159b

SHA512
4688d4c539fce334a92937e535202c53a9f46dd51c8f9bc1425e622df4497423df49816bca173d9d878f2913bfa5bb001d057e46ace157ef00bae54313db41ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EF4.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yxusdb3o.mn4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso70CE.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso70CE.tmp\final.ini

Filesize
618B

MD5
9af98cb91bfc2bfb796284c0c2b110dc

SHA1
2496a0bb355896541b12d901b33b87f82e35fd14

SHA256
8227648472629dd1b4136401d31f35c24797454504a3d6a0e9bb41bc8b4d9984

SHA512
25aa2a3bceaedf29c3582bd8fdf7fbe6a60e7b642d77d6885c5377b4a594ed56082ba542afa92d7db336fdba9c991f39384e27e0f89de7d2d667df1645aaaae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso70CE.tmp\nmap_performance.reg

Filesize
192B

MD5
3cd4a36a0dcc9e0e79d1df1d6cc712df

SHA1
a9b6fe5c0e01aec042e68c2bc700a721c4ecc995

SHA256
e77d7b5158ec99d19e552025facf50f477a2f2b1dc3ef2f198520cfa76e9707f

SHA512
d3d5ab7cc0943dd7ae85445449249109eeb5f871e1c7baf3139cd9e2d3858f70040102dc30b089fc99ee82ebbf99335c2323b1d070552cf7e565a1ac70ef2487

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso70CE.tmp\npcap-1.79.exe

Filesize
1.1MB

MD5
a4d7e47df742f62080bf845d606045b4

SHA1
723743dc9fa4a190452a7ffc971adfaac91606fa

SHA256
a95577ebbc67fc45b319e2ef3a55f4e9b211fe82ed4cb9d8be6b1a9e2425ce53

SHA512
8582b51b5fea23de43803fa925d13f1eb6d91b708be133be745d7d6155082cd131c9b62dc6a08b77f419a239efe6eb55a98f02f5783c7cd46e284ec3241fc2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso70CE.tmp\shortcuts.ini

Filesize
452B

MD5
4a0bbe8383346a2146fa07b5025c30f5

SHA1
2205fe641f61731d4f7f12ca067c77b0982d77ff

SHA256
8d9cc8e0073c30116218d0630063591063666b0d74efccbe4604341766bebab8

SHA512
2c095366310ca58e1586b339b9ce5f5b990e3015611923fb34ce444e006f90bfdb1591bcea6c867eb69eb8811dd2b401a7faed015a58d7b1a14397979cce9874

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso70CE.tmp\shortcuts.ini

Filesize
522B

MD5
ccb8295d532e841695cd53b34d29f1d3

SHA1
bb5a7cf0a97d3dea4a1619c4841f1ab64809a585

SHA256
c20bb2ebd320e6b8a1170fbd7886e02dd6cd85f8afca03bacadc9db5c1c2d2b8

SHA512
5c21078ca9ef1138e993f5ffa463713007744436415fbe44e311e68cee9b81b1fccdb7488f858a810ab5caf30a4d9b4546f6a1f4a122f7526cb38e13b4809fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst

Filesize
1KB

MD5
de825a838e33ccf3d06b82de337c06d8

SHA1
68956e777f646361eae3f06ce6899cd48bb9f593

SHA256
3b63b09dff7e4c5fe7ccafff74d9f845d1eb04809b0b77a536b2e4aa7dd1097e

SHA512
e935ef759abfcafa4d9cf70a1c5508179600fc85d237e53d3e7f2683fa2e14859e5eee167007328995606996a19f4fcc0c1f9a851011a6fa8db6b53c68160a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst

Filesize
1KB

MD5
a52f3195b5585e1d9a9b38fef66a1801

SHA1
986a5f05ff51d261fe595f0ab56598658aadc9c9

SHA256
40795f603b2eab75fbd886715b0103f2f362494576400ae88925ed1ba7063bdc

SHA512
e9eeb34c3667e56c425b91890f463b5d80e4e5e9f485c2bd3ac064e1784ad118c1460af461e5af8acbbb3bc02432e4f914e54e41d2bdaeaa8af528f0e669b64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\NPFInstall.exe

Filesize
300KB

MD5
c01beb6c3526554ec9dfad40502317f2

SHA1
89f468496bd7e6d993a032f918c5baabb21c11be

SHA256
5d54a5e7230baf2b80689ee49d263612a6011bc46ec52843e7b4297e9656d32d

SHA512
a7fdb3d69cc2b12c9795c8f5e34f64014273e471dc0639ff4693f18e3d5ea758f38f58a5dfc4d1800511ce3e130a7454fd371579e31dbba049770fb74b889339

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\System.dll

Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\final.ini

Filesize
568B

MD5
cae757421db8d011e41266bfd9439885

SHA1
7108a9f0740ee4e3a118f6ac9212e0446f074181

SHA256
ff350a68202aadb145f590c8579f9284d2e3c324b0369fde39e5a3a31d7b8204

SHA512
785d19c796834065c823a7da99036378bba54b932ea1e47d4ba0c1d123a0a09ec307a3459fb862221de74ce61d9a8d7ec73901c9de007d31e7b39eb7a19b16b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\options.ini

Filesize
2KB

MD5
d5b270807bd5e8e117db66010fd51afa

SHA1
4ef5f4835c4db596cc641d2de63187de8ee5c6b3

SHA256
5a5e297948d13919e4432a5f7544da14de5accbe6d228f32162669148853edf5

SHA512
ee06c81076891a0716cba6f4696a6c7e8033322e6a3378a9e41cef0f3baa9483898df7bd0058da6faf857660d1a5e36ba5ccb6f55e6648ca6450420eb595fca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\options.ini

Filesize
2KB

MD5
03054955db10efb45a20e2129e7d8c81

SHA1
e3f85563782317ece99e4fa59d7d438ba91d9172

SHA256
9e74e273e11ee9a428fe273fe50a2c835dfc57833532053374da294e556d58af

SHA512
98599cb353ff6f3583eb9f10235f0e3809676cfc4af04f03010fe24fa2e6fe8209d73cfe4f012726ca9c567d64d51e9d47925bc5e3710e0b6ab15ab39623993d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\options.ini

Filesize
2KB

MD5
978135ceb822bcd08ee0cd8cfcad3bed

SHA1
b61fb63a356e1646787a9f12363eaf4137a7b0a9

SHA256
9d7fa6acdb7f8091952ec03245a4aa549e966cafdd2e013e100664ee9371d27b

SHA512
f889d1e8d6c4fe079621a60998abbec4e7244bb70ed45ddb232e5b550feceb8633ae8606607fe4287f7ba1e04a0b97567875c080015134ee90c680e477bb068c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB0B6.tmp\signing.p7b

Filesize
7KB

MD5
dd4bc901ef817319791337fb345932e8

SHA1
f8a3454a09d90a09273935020c1418fdb7b7eb7c

SHA256
8e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71

SHA512
0a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
60KB

MD5
22afa8f2a85ab70bd509df46a15e2807

SHA1
71bfc1693ab2f6e8648a7354632814bcfbf16e60

SHA256
1143bd97cd2c4b1a1cc86d1e74925696f2c831aa599d16d3552a183766c298c5

SHA512
eefe20abde617d8c44f0891bff4b545387f6d36174e6a3584e5e57c0bc7b403648b3f6a8e906bbaf2bc55ac0696bdfb482b2eba169988aa3cd70587fd039b247

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
2134d77fd85716ed9fc25c5dcfa11661

SHA1
652fa9f8221e6a4dd5ee7d88486d39d4b13cb68d

SHA256
6e63f7829513553ddd358c532c815e6559d21f001cdb6baf3efcd625e2529fba

SHA512
fb1bde989f0876eafd5985ae97483f79eb75b828602bd0b33348607d292690261062b0fdffefe58cdbc6da0d45f26f8035fb891bb6d36c5ae5fcf056f193aab9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
9d176691d26300effdf4206c2feb449c

SHA1
12b22900dd064e777b9f547ea4eeb787cbb3f0a1

SHA256
d1f56153fd2fae33a4a9f6086dbed34cf95fab264df77e61a155848a471b2206

SHA512
379e7f3bfa840c3cd8e635b3b6bce7d3d1e1bed64a0e07c0cdf834181b063c794a6578ae45922df9272c176b7054f588f2892047074af9e30c6700c6f8e2b567

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\AlternateServices.bin

Filesize
8KB

MD5
8744a2d6922faa8c8656ad418dd67c4f

SHA1
78920ec6ea3ff46e34eabfbb06a55f3b7c268b46

SHA256
fc784f17db436b0437592c5b7aba78311821a1c1b3415e0845c404b7c6483c55

SHA512
12ec2ffa70f38c7e0ff3594ee5e42ca007ce7af12b13f3344f7305bd33f14caa0855377f4da522801420cc494b61703b48e5c0a56a6f3575a66a48a639f1b1d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\bookmarkbackups\bookmarks-2024-12-11_11_iCwCDegl47a3qp9FWJSUjg==.jsonlz4

Filesize
1016B

MD5
709f3a1ca51abed1d9a80c1e3712777d

SHA1
26db678bcb5f302297df418a4f8adc7af99a2795

SHA256
4b2bd14168b67ef7f2a8cffb0054349314ad9b599c86ccaf98c37ec99d494f7f

SHA512
87e8a8859f519dea9fa4120e39401382f68fc39b23b7b5ea1553489d573c15f4b9e62fcdf13809f228f504c52020e2bff42a62e647b5542062a963e31c49fe7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\cert9.db

Filesize
288KB

MD5
111b367f8876168d8eeb71d00500fa7c

SHA1
a83b0994e4c8dd14586e4950ab9df42ddf57ebe7

SHA256
892b26e7664a26ac2b726eeee60c378a3140e5f0eb8aa6e429ea8158f0ae1a0e

SHA512
500788f554ddc3e56b49ed15b91a801a521e3fcc5db10374c0b5b3119410bf48cd47b4d89a208ce4a3c5f85c5ec3184d8b1d7e0884d86cc493ed17fe69b5a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
184c3f2d679554da867d2506178cf89e

SHA1
0ae635fbb52d8a3c2c2cb2973113bb57bf7feefc

SHA256
c562e6f746294df0cfa43540dd6bd88f9aefcfaead280be12fe83963a2d68a47

SHA512
edff3916da904f7582367f862c03cf8c794de31e55912948fc81ecb1c1420c05794bcdc5101aa6ef42f9824758fa39c99625d7893893b9df47adcf140216924b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
4582692044d9ed5f247d36ed1e91a579

SHA1
e8256e7d81acd8861b6ccb865c96d1e1ba18ed94

SHA256
baf3b83be332d46db62e530b3c907fea84dc0d777287dd8128acc7ee386b8c33

SHA512
88bbd01bba609d54b9787893bfd7b4fdeea9ee46a9a55d3fac8e51aaa111176570d29f282339c6690e9fc89feea9a2ee3f3b2c6f8fcc05106cf8c739ba02ebff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
cfdfc2108f4d1ebe5d8aaa4612b712c7

SHA1
bb61974609fda7665551e2b906098201edb83248

SHA256
a68904ba2da7008413cc6ce7d407a63c9e773b3de1ce9c7750f0a307fd77525c

SHA512
2693d58ee30bfeebdcef62e6f78240c3d0d3cc55e4ae54ced1e8de7275cb9a911996e169a7ee1d33340b4a5c14dd95171b051b136c48b903de600d58fe9622c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
6f6b0c3ee358a3f0ab3293324c982a93

SHA1
5800ce0f7ce2d932d6c4f70bb027ab060f8c30f0

SHA256
afe3826166d3eab2be35efd4899a934df158dff6b3d0f37a7ec4afb7189c258b

SHA512
01336f638c9e4e8ae5b98621ce27251db9970eb3ef9e4fec19434f7d06d42e3ca8a2a1444b5ff582788545a8d7538d8f7af8c8c96cbbaeb0926e620f0c33bec0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
95KB

MD5
026ecb0063fca236373eccdc13d16b7e

SHA1
30e07fe60d0b0f3c01e83ca987da990257e10a16

SHA256
f40c8bec1ed8a55110e81310f18cf4ed79c57feb226e166c0d1abb94a956d53c

SHA512
836def787cea44a433256bc772e1a4ea781c489bb6f54793b6b70b8523b11426c830e9e953a5612901cebf06b0d56811dd81d7d892959e2f4ba8985c82d53a1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
75KB

MD5
706803c307cabd8defe108a415e76c4e

SHA1
4438da6fffddbdaf521659c33ca25bea690dbc4d

SHA256
8169f6b0aa10052eaed5d104f764fcb3aae1439ccda8910fb35ccd27894f9f3b

SHA512
75ddf9100940f8165bbad70c32cfb5230c9553fe6df787bbdfb060239ae30d0bc9cd7a798ee350a1fb4c316544cfc762973367ac069f3dfb989992c2e047d547

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\db\data.safe.tmp

Filesize
95KB

MD5
aade900dad4f9224ad89eca18ff8a258

SHA1
446c69babd4de24e5bc26c41ec2cea0617b3dd58

SHA256
325186e936b1f7b3e56b732390466a0f6d68cbe14f50607d221ce6db3325c6e2

SHA512
02a7cf919cc540ab424022438b042752a401ed103e5b6f8c371ddd3e820f5535b6183f47c07ae8ddb92405aa8c360bcaef9310f8ed4ea919694cd08c41b89114

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\27bc7dbc-f30a-4a00-b4a9-1f00f1c7400a

Filesize
659B

MD5
ee74b808dedb7b285a3e64e40031fcc1

SHA1
17c18524e7856370b634d2874624ecd83d285792

SHA256
44250a21e20ac40b59d4b09b73cd0df73a26d393f6d940649c654eaef991fed7

SHA512
1c1c4cca85e4ea80fd736782f0a5a386df77b9fcb788f5afff0cbbc1cc83b581fd9c745eadd204f758392d690fe5b815a574dd8f75b483f1349df59d3786c1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\4b30db2f-afc6-4f45-8c3f-fb542554b5d1

Filesize
982B

MD5
930134b4edb9fd0280b38aa7dffc9784

SHA1
f937db6235de94f6bbff991531909e386b71f962

SHA256
408ad6d491e9b2b9a282e612cebded4c89dddbf3d4203971f538bf4a8c554fce

SHA512
2588152ac2402d2aab362862f7c9894d6a0daaa078cfb3c59aaaae4f397b7e097d26e2085389f396a164d5372d806e4bea34670aae09465d6d873144c6c322df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\c7d8f945-eb7a-4e9d-bfd1-1bb1dbaa9ce8

Filesize
3KB

MD5
9d971c50cf8f820e4d3bb26be456978d

SHA1
58e3e9454d971cb1ce602060a24f19a33ab88f3a

SHA256
dff50b18464ce8b65bf6145d2b125201c62096555a9c780ccfa731ccd21deade

SHA512
310b975c09a794a65b0828840b8b2758228e171b8a944ee62e51e3aa9b819a50983149647df45e7993d92c13ec856db3f4f46ae75a12d28b80cb8f940a18bc27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\datareporting\glean\pending_pings\c8914923-292d-4b29-95f1-401414ac0a7c

Filesize
846B

MD5
8bac07dc0dd4297111efc389037b3ba4

SHA1
1888f52ec3361ac0ecdb8ac131c6c96761218573

SHA256
ce5e3f1e7e7a57443115bbc2377963a1593fbdf0c72befc735cb504c6717d948

SHA512
6e138ec03b759c2520c30e13a37d9c2e001d02a61143bb70d7ff3f725ff76845022f441c65ef069fe68eec968459d0770f923d53551bcdd71471c983cd6aba5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs-1.js

Filesize
12KB

MD5
14950fd7f1eb2064aee1e0780cf0ae79

SHA1
b7ea6391deaaf681ccda512e96f0cf2c379af3cc

SHA256
2bae7ecc3b557042fc432548f24b671898f34000779931ef286a6562f99d2a1e

SHA512
184bb4fdd799251faf77e381e58c2e9b2416542625effbc6b0ac3d1278bdc2c7f3145f9ec4df767b352df5492b255970fe24cd548741f1cd17ad94a49506ff95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs-1.js

Filesize
12KB

MD5
27cb010a38611bb10e5db8a5a7ad8257

SHA1
0ad43edeb7fd07668e37d5b017a4cc5e65bab361

SHA256
bea257069ed3b33d4be5c6117dfe92aa243f1c1b7aec78ddf01701f43a8a1e64

SHA512
75d62d64202fd1eeb8f235dc72534e592f3f279b9a245affc5282aeede251997b6369b1eb4683a3bdacc070b25a288690161c5790af53d3d88a2fbb69926e68c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs-1.js

Filesize
11KB

MD5
dde4b63c256f18d493cd788c25989e2e

SHA1
c859900e895083d800d96d597da29872eec04c29

SHA256
0a9efce5a6672be20e5896745e8fbda54acbcfba9039ead17dd2048e728e405d

SHA512
11a59f9d8004623d4acc170e05e923b408dd44c4171573ba4b796e7d1a73bbf409de7f8daeefc7298a34025080449d88a738da7043d5616c8e0e7122e00e0456

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs.js

Filesize
10KB

MD5
15c96a631aa07bb868721779469235dd

SHA1
5f6d927b240d4dc7d432845c33728c07c6d5bf13

SHA256
19018ebb39a50cb49da26b4c8a6fbb47120d3b8bd3618631c1887669a15611f3

SHA512
dbad8e87b59a15f948845dcf9f023129f0d5e8b459c305eda82aff0e3ea2021c9b357c45f5a6f19dbe391d55a60cc93f989d5d12fea5579111e4a5d27d076b4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\prefs.js

Filesize
10KB

MD5
b06ab0c812943a8c17679ba81c3a74ae

SHA1
0680f8086017009a30a2615e072a4d4765473f60

SHA256
79560f56a304f1385498b7956e62cbf15d212e077f06a48722f1e56fb41c768a

SHA512
7ee8eb1db717696a2b0786ae3ec53db48e758a339da2b430e7a1feb8283ca01f3ae065b1d7a5090f6ab72c62933c1bc88017b72609e170d699ab20d4e9abd92c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
207daa713ef91933e4029b935a26b658

SHA1
ae69d1694cd42b214e0436b127eb1b491aabdeb8

SHA256
255aef7b442aa78b9d6d8e02693b5e10ffc2101276363293782660a1f0352434

SHA512
edd06c30affdaea40e8bc503d3f3ad73d8ab82b2685afcf07f8b22f2472c5a6f1691211db12e699a4d7d006787e52a236e9f1c90c210026e9b0248aab23c77a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f40588d8f760e999de5e09bb082482a3

SHA1
8c91edfa217a7d014e2afe09331202b0e0f594f0

SHA256
d43c7a2cd9a299f7dabd03a019ca9687ea536d9184d49f77f3afe8574a614678

SHA512
20f4c642edd1de6787bf69116de674fef1b2d611278aff95099f74efed3dcd947d4a145e37fb86c19569e8057910b59c9bad07c2582ddb9ff1ac1c991a46f51a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
d54b2a34d68db125559f0e1d3e50ec6c

SHA1
bbc91bb94f2e6d6b9fbc52279d37ad59c8079020

SHA256
402a708656a2b3a17ecd32a9ea9ec95869111448a65efca5a48db1f63516f95b

SHA512
24699b068cb6344d604dd8254acee5d4e72f3526b450ab0c6d9fea4525601e4d16d2c32c3667acd0448f1e0a8af23930b1dd652a4f2cf3731361458465d1a2f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
b59e1f69aa6ad4b92800479adad536f0

SHA1
256183e9998a04575bcb32a47057a0242e210f31

SHA256
9c265d7bdd1f78add47e1ca1e843ef9024864c56cb91dd44cd03a0c6a54f693b

SHA512
10264604b6e9e6f57858087a7e381ecf4e041164307374a490ce9682aa619ddd1af1737ea19275bb406076d189b66a6a20f981aca60b06945ea17b10a34bb1bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
565f30f5f711eb7c3137325a2f82f44d

SHA1
bfc7ab59effa12d71c3d7ed6267374a80bb069b4

SHA256
cab3e8059bf12c45c3339021c6d4a3456fca5ba7467cf15f2ff01756a0878a0e

SHA512
31141a19b7f0ec318ac3e3624466b2931e24bc653ef32a6e01d461bb41f485aa52bfb2a0efa2743b99db574ae4d0282186f44b9fd7a6bd3140e20074d3c3687e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
f77eb828cbb3f78bfc2672d1fd620c95

SHA1
c31049d8306d066463c5e0339b561dc5e6858f1f

SHA256
03bfdf54ef9bd98748276208d96a5a48043e9e45c8f14712b53682aaf067d445

SHA512
78e7c24dfb6370c7a2f0c8cf053c1487208e52aa3774ce83be25c64cb29bd6841a8576a4b84f5a9bdfecdb49c66185bf0ac843a2b0201fbc0d36ffac18a102b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
41fd794f591b6f73ce45e6f5324dd3f5

SHA1
ef3c15d85e61600f6a639d414c94aee0063f19a5

SHA256
1d0f683f42271cd6ff8d10fd8baccf4eedab8e96a1474a2b498bc4dd7521b659

SHA512
949dccd1d4d77913da7f1caf1a54b719e183a8823046607dc0934e89dd775d17915efdbb065154cf427aafa59e575a8bc21460f3b69ec414502bc535744b4fe6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
3cc183fc9920a8980e0fedcd7ad872e7

SHA1
d00b0e7472bfb4c6fbefa2df87e244f6e9659317

SHA256
54f784395d1174ad30e2dde869cb2b9c88f537020c538c208a7e1b312b19d15b

SHA512
162bdddf5a9764faf49d0a8652108ff2d8d0080a36ceac3aaa8cd85062d79eddfd82fa8fbc713f984b7881c209b282b1059395f7b083f06ad879b03a18a8f2c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
1096b3daeb670b7e38011dd33a811bbb

SHA1
3be8e5aa237256a5d8e7ce5a88dabd3a2ee655df

SHA256
e6259ff2178d2cf5c829b7061aecd34889ded37560be09d6785934c40a52b23a

SHA512
58f20e08e6a50d23e4ce1c372f9e7f6ce2637fb05fee662cbb9230a6515902cceaa566dd497a2bfa6b4137eb754b6e3e30a4ec440536558b8a0377f41687b091

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
8ae535165660f6aacc6cd0aded70d75e

SHA1
620f1add29cbeb99e2cddf0bd4435aa8165ec6bc

SHA256
5ef9650af22898c914176ff70b95c31dfe8bad60b7a81284fc934c24d19f4dac

SHA512
9364fd06f6d97ec416319c6d9ab9fbe7b38d3812cef869252629235b4342afd06cafcb78315ebb891eb708a6f8c76e7ad597a839cf963f223de1f13f8ed16077

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
db88b9b433a3e11e044d2f056b174ab4

SHA1
8a406543222af1f0eb038460082049184e23e1b3

SHA256
173cacbe2e1fe5cd75f444cc414908bb683052b09f37f4140b71226c965bd087

SHA512
4d855a4592ae4724e4e0cbaa6ec16597dbcad0eb2f36659f49e0735bbe0d2b95fc5e7d7d597c8fffb21167b2a7ffc03f41750ad6269aeb20597be7c1c08a2e17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
1fcf86e057f8669a51730fb150fbd4f3

SHA1
c256fd30036f772f8a0b5f92a29417040e270a15

SHA256
7d5d4dae623896b804fe6199ffc433f9faa11c42a9dd98739617c8ff12df4cd3

SHA512
777d3fcd994ee3d5fed5bc076981a540b3faf0dbc44a93ba7236d7890b0e4320fd5a8af92c5ae01d4cc5a4af319f14003a7f615b5f02f4c606ca22c1706dcccd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
634ca3b64159e0b26e859672c200c86b

SHA1
43eb8882806d4cacf24f590565130083c201b590

SHA256
5d970c23c8632b610f8fa571b0b7b3f39bb17b56718ee9d57a56ec3ad75a2783

SHA512
44f82dd1b951544a51779f4f9471f262326ce2d1d8afe41ae37dd7f25e1d262c5c057afb0fd481aca170e45ce1b174f10f3590b3ec8cec6c5392b47e0e223aca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
5ab75143bd009150a110d240706b6862

SHA1
21ebb8f8b4199e0f2a098400a10ccb10485e4277

SHA256
be8d05b05f1a1af6f3727dcf2cb74d15cbcb90b949c828eddd88ae37e4d14b6b

SHA512
98c62604486ae6bce0d98f450010a341c1c661180daa048d52227db621cbae43818ff1e49c3a69714bfa8a54e89129f0d20f4e22318b6c7997c613f1b1903b0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\agdhwm6k.default-release\storage\default\https+++whatismyipaddress.com\idb\12183338011.sqlite

Filesize
48KB

MD5
6ec598beba6fcfc4928ad8890d92a0df

SHA1
6cd9b992c333c144f9fdd11512f133484e6cf285

SHA256
c61fa67f075f8756d0e0632a36efa2711b03af0baa2364c1900e9db3b9b13fb6

SHA512
6bd694cdefbd90cf1c3713238f06647d35937d14845c219cef8e45039fd40c347bcab86d39b748aa153482bc0742fce2a2b0db085cabe3e97642e087234095b3

Download Submit
C:\Users\Admin\Downloads\nmap-7.TEKzkrmU.95-setup.exe.part

Filesize
32.4MB

MD5
bd457e3fb19a7f127a23369e70ee84fc

SHA1
09bf57bff436520af6b8842f7ea9f48e655ffffe

SHA256
c59b51d15b5965f27db4c5bbd21793ad6b492c8c751836ba8bd43829d791146e

SHA512
d55d51be6a12aaa87906102876aeec54bfe40f8daa5cde110de8c21b7135ad6d581caa7c84278cf02ad84efa13c16090b2336b90956ef983085c4da1e578fc35

Download Submit
memory/3600-5502-0x00007FF6315C0000-0x00007FF6315E0000-memory.dmp

Filesize
128KB

Download
memory/3600-5537-0x00007FFC625A0000-0x00007FFC625AE000-memory.dmp

Filesize
56KB

Download
memory/3600-5504-0x00007FFC652C0000-0x00007FFC652E4000-memory.dmp

Filesize
144KB

Download
memory/3600-5505-0x00007FFC652A0000-0x00007FFC652B6000-memory.dmp

Filesize
88KB

Download
memory/3600-5506-0x00007FFC65280000-0x00007FFC65292000-memory.dmp

Filesize
72KB

Download
memory/3600-5508-0x00007FFC65240000-0x00007FFC65250000-memory.dmp

Filesize
64KB

Download
memory/3600-5509-0x00007FFC65200000-0x00007FFC65220000-memory.dmp

Filesize
128KB

Download
memory/3600-5510-0x00007FFC651F0000-0x00007FFC651FD000-memory.dmp

Filesize
52KB

Download
memory/3600-5507-0x00007FFC65250000-0x00007FFC65274000-memory.dmp

Filesize
144KB

Download
memory/3600-5512-0x00007FFC651D0000-0x00007FFC651E1000-memory.dmp

Filesize
68KB

Download
memory/3600-5511-0x00007FFC5C8F0000-0x00007FFC5C949000-memory.dmp

Filesize
356KB

Download
memory/3600-5513-0x00007FFC5C8B0000-0x00007FFC5C8F0000-memory.dmp

Filesize
256KB

Download
memory/3600-5514-0x00007FFC49D40000-0x00007FFC49EA7000-memory.dmp

Filesize
1.4MB

Download
memory/3600-5503-0x00007FFC49EB0000-0x00007FFC4A376000-memory.dmp

Filesize
4.8MB

Download
memory/3600-5563-0x00007FFC485A0000-0x00007FFC485C5000-memory.dmp

Filesize
148KB

Download
memory/3600-5564-0x00007FFC48410000-0x00007FFC48599000-memory.dmp

Filesize
1.5MB

Download
memory/3600-5562-0x00007FFC485D0000-0x00007FFC485DD000-memory.dmp

Filesize
52KB

Download
memory/3600-5561-0x00007FFC485E0000-0x00007FFC485F2000-memory.dmp

Filesize
72KB

Download
memory/3600-5560-0x00007FFC48600000-0x00007FFC48618000-memory.dmp

Filesize
96KB

Download
memory/3600-5558-0x00007FFC48630000-0x00007FFC4865A000-memory.dmp

Filesize
168KB

Download
memory/3600-5559-0x00007FFC48620000-0x00007FFC48630000-memory.dmp

Filesize
64KB

Download
memory/3600-5555-0x00007FFC48660000-0x00007FFC48675000-memory.dmp

Filesize
84KB

Download
memory/3600-5557-0x00007FFC4ED70000-0x00007FFC4ED7E000-memory.dmp

Filesize
56KB

Download
memory/3600-5556-0x00007FFC54B40000-0x00007FFC54B50000-memory.dmp

Filesize
64KB

Download
memory/3600-5554-0x00007FFC48680000-0x00007FFC48691000-memory.dmp

Filesize
68KB

Download
memory/3600-5553-0x00007FFC56CD0000-0x00007FFC56CE0000-memory.dmp

Filesize
64KB

Download
memory/3600-5552-0x00007FFC5D420000-0x00007FFC5D42F000-memory.dmp

Filesize
60KB

Download
memory/3600-5551-0x00007FFC5D580000-0x00007FFC5D58F000-memory.dmp

Filesize
60KB

Download
memory/3600-5550-0x00007FFC5DE00000-0x00007FFC5DE0E000-memory.dmp

Filesize
56KB

Download
memory/3600-5549-0x00007FFC486A0000-0x00007FFC486B1000-memory.dmp

Filesize
68KB

Download
memory/3600-5548-0x00007FFC486C0000-0x00007FFC486D5000-memory.dmp

Filesize
84KB

Download
memory/3600-5547-0x00007FFC4CEE0000-0x00007FFC4CEFD000-memory.dmp

Filesize
116KB

Download
memory/3600-5546-0x00007FFC48E80000-0x00007FFC48EA1000-memory.dmp

Filesize
132KB

Download
memory/3600-5544-0x00007FFC48EB0000-0x00007FFC4905E000-memory.dmp

Filesize
1.7MB

Download
memory/3600-5545-0x00007FFC53FC0000-0x00007FFC53FD8000-memory.dmp

Filesize
96KB

Download
memory/3600-5543-0x00007FFC49060000-0x00007FFC491A9000-memory.dmp

Filesize
1.3MB

Download
memory/3600-5542-0x00007FFC491B0000-0x00007FFC491E1000-memory.dmp

Filesize
196KB

Download
memory/3600-5538-0x00007FFC49220000-0x00007FFC49287000-memory.dmp

Filesize
412KB

Download
memory/3600-5541-0x00007FFC61A70000-0x00007FFC61A80000-memory.dmp

Filesize
64KB

Download
memory/3600-5540-0x00007FFC55E10000-0x00007FFC55E28000-memory.dmp

Filesize
96KB

Download
memory/3600-5539-0x00007FFC491F0000-0x00007FFC4921C000-memory.dmp

Filesize
176KB

Download
memory/3600-5516-0x00007FFC5C870000-0x00007FFC5C8A5000-memory.dmp

Filesize
212KB

Download
memory/3600-5536-0x00007FFC5BC30000-0x00007FFC5BC4D000-memory.dmp

Filesize
116KB

Download
memory/3600-5535-0x00007FFC49290000-0x00007FFC492B6000-memory.dmp

Filesize
152KB

Download
memory/3600-5534-0x00007FFC492C0000-0x00007FFC492F6000-memory.dmp

Filesize
216KB

Download
memory/3600-5533-0x00007FFC49300000-0x00007FFC49335000-memory.dmp

Filesize
212KB

Download
memory/3600-5531-0x00007FFC49680000-0x00007FFC496DE000-memory.dmp

Filesize
376KB

Download
memory/3600-5532-0x00007FFC49340000-0x00007FFC4936C000-memory.dmp

Filesize
176KB

Download
memory/3600-5524-0x00007FFC496E0000-0x00007FFC49922000-memory.dmp

Filesize
2.3MB

Download
memory/3600-5530-0x00007FFC49370000-0x00007FFC4939C000-memory.dmp

Filesize
176KB

Download
memory/3600-5529-0x00007FFC493A0000-0x00007FFC494E1000-memory.dmp

Filesize
1.3MB

Download
memory/3600-5528-0x00007FFC62A00000-0x00007FFC62A17000-memory.dmp

Filesize
92KB

Download
memory/3600-5527-0x00007FFC4EE40000-0x00007FFC4EE83000-memory.dmp

Filesize
268KB

Download
memory/3600-5526-0x00007FFC494F0000-0x00007FFC495A5000-memory.dmp

Filesize
724KB

Download
memory/3600-5525-0x00007FFC495B0000-0x00007FFC49674000-memory.dmp

Filesize
784KB

Download
memory/3600-5523-0x00007FFC49930000-0x00007FFC49A5D000-memory.dmp

Filesize
1.2MB

Download
memory/3600-5520-0x00007FFC4CF00000-0x00007FFC4CF69000-memory.dmp

Filesize
420KB

Download
memory/3600-5522-0x00007FFC64B00000-0x00007FFC64B11000-memory.dmp

Filesize
68KB

Download
memory/3600-5521-0x00007FFC64B20000-0x00007FFC64B2E000-memory.dmp

Filesize
56KB

Download
memory/3600-5517-0x00007FFC49B80000-0x00007FFC49D36000-memory.dmp

Filesize
1.7MB

Download
memory/3600-5519-0x00007FFC49A60000-0x00007FFC49B79000-memory.dmp

Filesize
1.1MB

Download
memory/3600-5518-0x00007FFC651C0000-0x00007FFC651CF000-memory.dmp

Filesize
60KB

Download
memory/3600-5515-0x00007FFC5C760000-0x00007FFC5C7BD000-memory.dmp

Filesize
372KB

Download
memory/4532-3970-0x0000000005D80000-0x00000000060D7000-memory.dmp

Filesize
3.3MB

Download
memory/4608-3681-0x0000000007C60000-0x0000000007C9E000-memory.dmp

Filesize
248KB

Download
memory/4608-3678-0x0000000006D90000-0x0000000006DB2000-memory.dmp

Filesize
136KB

Download
memory/4608-3656-0x0000000003170000-0x00000000031A6000-memory.dmp

Filesize
216KB

Download
memory/4608-3677-0x0000000006D20000-0x0000000006D3A000-memory.dmp

Filesize
104KB

Download
memory/4608-3658-0x0000000005A00000-0x00000000060CA000-memory.dmp

Filesize
6.8MB

Download
memory/4608-3679-0x00000000080B0000-0x0000000008656000-memory.dmp

Filesize
5.6MB

Download
memory/4608-3680-0x0000000008CE0000-0x000000000935A000-memory.dmp

Filesize
6.5MB

Download
memory/4608-3674-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/4608-3676-0x0000000007A60000-0x0000000007AF6000-memory.dmp

Filesize
600KB

Download
memory/4608-3675-0x0000000006840000-0x000000000688C000-memory.dmp

Filesize
304KB

Download
memory/4608-3660-0x00000000059A0000-0x00000000059C2000-memory.dmp

Filesize
136KB

Download
memory/4608-3672-0x0000000006220000-0x0000000006577000-memory.dmp

Filesize
3.3MB

Download
memory/4608-3662-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/4608-3661-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/5432-3722-0x0000000005E70000-0x00000000061C7000-memory.dmp

Filesize
3.3MB

Download
memory/7252-3696-0x0000000005C90000-0x0000000005FE7000-memory.dmp

Filesize
3.3MB

Download
memory/8188-3988-0x00000000076D0000-0x0000000007702000-memory.dmp

Filesize
200KB

Download