Analysis Report nmap-7.91-setup.exe

Overview

General Information

Sample Name: nmap-7.91-setup.exe
Analysis ID: 432891
MD5: 5df3bf0234f0c2af2c470f98243c788f
SHA1: 7474a3c2c44e612387d1ff176179187ddc1b9bfc
SHA256: c4683097a2615252eeddab06c54872efb14c2ee2da8997b1c73844e582081a79
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher Predator
Score: 40
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 50
Range: 0 - 100

Signatures

Yara detected HtmlPhish10
Yara detected Predator
Changes security center settings (notifications, updates, antivirus, firewall)
Contains VNC / remote desktop functionality (version string found)
Install WinpCap (used to filter network traffic)
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Ncat Network tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Yara signature match

Classification

AV Detection:

barindex
Yara detected Predator
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nsyA5CF.tmp, type: DROPPED
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.nmap-7.91-setup.exe.2c54f6a.2.unpack Avira: Label: TR/Patched.Ren.Gen

Phishing:

barindex
Yara detected HtmlPhish10
Source: Yara match File source: C:\Program Files (x86)\Nmap\nmap-service-probes, type: DROPPED

Compliance:

barindex
Uses 32bit PE files
Source: nmap-7.91-setup.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Found installer window with terms and condition text
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Nmap.Press Page Down to see the rest of the agreement.For more information on this license see https://nmap.org/npsl/0. PreambleThe intent of this license is to establish freedom to share and change the software regulated by this license under the open source model. It also includes a Contributor Agreement and disclaims any warranty on Covered Software. Proprietary software companies wishing to use or incorporate Covered Software within their programs must contact Licensor to purchase a separate license. Open source developers who wish to incorporate parts of Covered Software into free software with conflicting licenses may write Licensor to request a waiver of terms.If the Nmap Project (directly or through one of it's commercial licensing customers) has granted you additional rights to Nmap or Nmap OEM those additional rights take precedence where they conflict with the terms of this license agreement.This License represents the complete agreement concerning subject matter hereof. It contains the license terms themselves but not the reasoning behind them or detailed explanations. For further information about this License see https://nmap.org/npsl/ . That page makes a good faith attempt to explain this License but it does not and can not modify its governing terms in any way.1. Definitions"Contribution" means any work of authorship including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof that is intentionally submitted to Licensor by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition "submitted" means any form of electronic verbal or written communication sent to the Licensor or its representatives including but not limited to communication on electronic mailing lists source code control systems web sites and issue tracking systems that are managed by or on behalf of the Licensor for the purpose of discussing and improving the Work but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution.""Contributor" means Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work."Covered Software" means the work of authorship whether in Source or Object form made available under the License as indicated by a copyright notice that is included in or attached to the work"Derivative Work" or "Collective Work" means any work whether in Source or Object form that is based on (or derived from) the Work and for which the editorial revisions annotations elaborations or other modifications represent as a whole an original work of authorship. It includes software as described in Section 3 of this License.
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Creates a directory in C:\Program Files
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\install.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\LICENSE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\DiagReport.bat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\DiagReport.ps1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\FixInstall.bat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\NPFInstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\npcap.sys Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\npcap.cat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\npcap.inf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\npcap_wfp.inf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\CheckStatus.bat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Directory created: C:\Program Files\Npcap\NPFInstall.log Jump to behavior
Creates install or setup log file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Program Files\Npcap\install.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe File created: C:\Program Files\Npcap\NPFInstall.log Jump to behavior
Creates license or readme file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\3rd-party-licenses.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\LIBLINEAR-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\Libdnet-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\Lua-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\OpenSSL-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\PCRE-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\WinPcap-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\zlib-license.txt Jump to behavior
PE / OLE file has a valid certificate
Source: nmap-7.91-setup.exe Static PE information: certificate valid
Binary contains paths to debug symbols
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Release\WlanHelper.pdb&& source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, WlanHelper.exe.5.dr
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Release\NPFInstall.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Release\Packet.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Win10 Release\npcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Win7 Release\npcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\wpcap\build-x64\run\Release\wpcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Win7 Release\npcap.pdbGCTL source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Release\NpcapHelper.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Win10 Release\npcap.pdbGCTL source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, SET7FED.tmp.28.dr
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Release\WlanHelper.pdb%% source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Win7 Release\npcap.pdbGCTL source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Win7 Release\npcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Release\NPFInstall.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, NPFInstall.exe, 00000013.00000002.439870347.00007FF6AC970000.00000002.00020000.sdmp, NPFInstall.exe, 00000016.00000000.441473140.00007FF6C2AD0000.00000002.00020000.sdmp, NPFInstall.exe, 0000001A.00000002.449384905.00007FF6C2AD0000.00000002.00020000.sdmp, NPFInstall.exe, 0000001C.00000000.450409793.00007FF6C2AD0000.00000002.00020000.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Release\Packet.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Release\NpcapHelper.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Release\WlanHelper.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\wpcap\build-win32\run\Release\wpcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Release\WlanHelper.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, WlanHelper.exe.5.dr
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Win10 Release\npcap.pdbGCTL source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Win10 Release\npcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, SET7FED.tmp.28.dr
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_00405646 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405646
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_0040601C FindFirstFileA,FindClose, 0_2_0040601C
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_00406775 FindFirstFileA,FindClose, 5_2_00406775
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_00405B99 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 5_2_00405B99
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_00402A84 FindFirstFileA, 5_2_00402A84
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC9657F4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 19_2_00007FF6AC9657F4
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC941220 FindFirstFileW,GetLastError,FindClose, 19_2_00007FF6AC941220
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AA1220 FindFirstFileW,GetLastError,FindClose, 22_2_00007FF6C2AA1220
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AC57F4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 22_2_00007FF6C2AC57F4
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AA1220 FindFirstFileW,GetLastError,FindClose, 26_2_00007FF6C2AA1220
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AC57F4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 26_2_00007FF6C2AC57F4
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking:

barindex
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Source: SET63FA.tmp.28.dr Static PE information: Found NDIS imports: FwpsAllocateCloneNetBufferList0, FwpmEngineClose0, FwpmFilterAdd0, FwpmCalloutAdd0, FwpsFreeCloneNetBufferList0, FwpsCalloutRegister2, FwpmTransactionAbort0, FwpmTransactionBegin0, FwpsInjectionHandleCreate0, FwpmEngineOpen0, FwpsInjectNetworkSendAsync0, FwpsInjectionHandleDestroy0, FwpmSubLayerAdd0, FwpmTransactionCommit0, FwpsQueryPacketInjectionState0, FwpsCalloutUnregisterById0
Source: SET68FC.tmp.32.dr Static PE information: Found NDIS imports: FwpsAllocateCloneNetBufferList0, FwpmEngineClose0, FwpmFilterAdd0, FwpmCalloutAdd0, FwpsFreeCloneNetBufferList0, FwpsCalloutRegister2, FwpmTransactionAbort0, FwpmTransactionBegin0, FwpsInjectionHandleCreate0, FwpmEngineOpen0, FwpsInjectNetworkSendAsync0, FwpsInjectionHandleDestroy0, FwpmSubLayerAdd0, FwpmTransactionCommit0, FwpsQueryPacketInjectionState0, FwpsCalloutUnregisterById0
Yara detected Ncat Network tool
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nsyA5CF.tmp, type: DROPPED
Source: vulns.lua.0.dr String found in binary or memory: http://...
Source: wsdd-discover.nse.0.dr String found in binary or memory: http://10.0.200.116:50000
Source: hnap-info.nse.0.dr String found in binary or memory: http://192.168.1.1/
Source: http-referer-checker.nse.0.dr String found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js?ver=3.4.2
Source: servicetags.nse.0.dr String found in binary or memory: http://arc.opensolaris.org/caselog/PSARC/2006/638/ServiceTag_API_CLI_v07.pdf
Source: servicetags.nse.0.dr String found in binary or memory: http://arc.opensolaris.org/caselog/PSARC/2006/638/stdiscover_protocolv2.pdf
Source: servicetags.nse.0.dr String found in binary or memory: http://arc.opensolaris.org/caselog/PSARC/2006/638/stlisten_protocolv2.pdf
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://bit.ly/nmapafp.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://bit.ly/tcp-sh
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on)
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://cpe.mitre.org/)
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, nsyA5CF.tmp.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, nsyA5CF.tmp.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: drvinst.exe, 00000020.00000003.458451023.00000162FD6CE000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, nsyA5CF.tmp.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: svchost.exe, 00000004.00000002.479517709.000001DE3760E000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, nsyA5CF.tmp.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: http-referer-checker.nse.0.dr String found in binary or memory: http://css3-mediaqueries-js.googlecode.com/svn/trunk/css3-mediaqueries.js
Source: http-slowloris-check.nse.0.dr String found in binary or memory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
Source: http-shellshock.nse.0.dr String found in binary or memory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://cvs.savannah.gnu.org/viewcvs/config/config/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://cvs.savannah.gnu.org/viewvc/config/?root=config
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://cvs.savannah.gnu.org/viewvc/config/?root=config.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://cvsweb.freebsd.org/ports/security/nmap/files/
Source: pgsql.lua.0.dr String found in binary or memory: http://developer.postgresql.org/pgdocs/postgres/protocol-flow.html
Source: pgsql.lua.0.dr String found in binary or memory: http://developer.postgresql.org/pgdocs/postgres/protocol-message-formats.html
Source: pgsql.lua.0.dr String found in binary or memory: http://developer.postgresql.org/pgdocs/postgres/protocol.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://download.insecure.org/nmap/dist/?M=D
Source: http-waf-detect.nse.0.dr String found in binary or memory: http://ev1l.com/xpl01t.txt
Source: http-waf-detect.nse.0.dr String found in binary or memory: http://evilsite.com/evilfile.php
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
Source: mongodb.lua.0.dr String found in binary or memory: http://github.com/mongodb/mongo-python-driver/blob/master/pymongo/bson.py
Source: http-waf-detect.nse.0.dr String found in binary or memory: http://google.com
Source: http-slowloris-check.nse.0.dr String found in binary or memory: http://ha.ckers.org/slowloris/
Source: http-slowloris-check.nse.0.dr String found in binary or memory: http://ha.ckers.org/slowloris/).
Source: http-huawei-hg5xx-vuln.nse.0.dr String found in binary or memory: http://hakim.ws).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://hcsw.org/blog.pl
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://hcsw.org/blog.pl/29
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://hcsw.org/blog.pl/31
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://hcsw.org/blog.pl/33
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://hcsw.org/blog.pl/37.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://hcsw.org/blog.pl?a=20&b=20
Source: qscan.nse.0.dr String found in binary or memory: http://hcsw.org/nmap/QSCAN
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://insecure.org/news/download-com-fiasco.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://insecure.org/nmap/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://insecure.org/stf/Nmap-4.50-Release.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://ipinfodb.com/ip_location_api.php).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://issues.nmap.org/.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://issues.nmap.org/39
Source: flume-master-info.nse.0.dr String found in binary or memory: http://lua-users.org/wiki/TableUtils
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://nmap6.sourceforge.net/
Source: NPFInstall.exe, NPFInstall.exe, 0000001A.00000002.449384905.00007FF6C2AD0000.00000002.00020000.sdmp, NPFInstall.exe, 0000001C.00000000.450409793.00007FF6C2AD0000.00000002.00020000.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://npcap.org
Source: NPFInstall.exe, NPFInstall.exe, 0000001A.00000002.449384905.00007FF6C2AD0000.00000002.00020000.sdmp, NPFInstall.exe, 0000001C.00000000.450409793.00007FF6C2AD0000.00000002.00020000.sdmp String found in binary or memory: http://npcap.org)
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://npcap.org)WlanHelper
Source: npcap-1.00.exe, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, nmap-7.91-setup.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: nmap-7.91-setup.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, nsyA5CF.tmp.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, nsyA5CF.tmp.0.dr String found in binary or memory: http://ocsp.comodoca.com0F
Source: svchost.exe, 00000004.00000002.479517709.000001DE3760E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: svchost.exe, 00000004.00000002.476544985.000001DE31EA0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, nsyA5CF.tmp.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: vulns.lua.0.dr String found in binary or memory: http://osvdb.org/
Source: hnap-info.nse.0.dr String found in binary or memory: http://purenetworks.com/HNAP1/GetDeviceSettings
Source: hnap-info.nse.0.dr String found in binary or memory: http://purenetworks.com/HNAP1/GetDeviceSettings2
Source: hnap-info.nse.0.dr String found in binary or memory: http://purenetworks.com/HNAP1/IsDeviceReady
Source: hnap-info.nse.0.dr String found in binary or memory: http://purenetworks.com/HNAP1/SetDeviceSettings
Source: hnap-info.nse.0.dr String found in binary or memory: http://purenetworks.com/HNAP1/SetDeviceSettings2
Source: http-huawei-hg5xx-vuln.nse.0.dr String found in binary or memory: http://routerpwn.com/#huawei
Source: svchost.exe, 00000004.00000002.479847951.000001DE37800000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000004.00000002.476544985.000001DE31EA0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumera
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/fulldisclosure/2010/Oct/119.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/fulldisclosure/2012/Dec/9).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2006/Apr-Jun/0393.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2006/q3/0052.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2006/q4/0253.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2006/q4/0281.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2007/q2/0257.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2007/q3/0254.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2007/q3/0277.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2007/q4/0085.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2007/q4/0391.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q2/0132.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q2/0333.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q2/0549.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q2/0623.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q2/author.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0089.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0093.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0139.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0180.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0188.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0233.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0310.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0312.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0392.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0470.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0644.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0647.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0682.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0766.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q3/0902.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2008/q4/0663.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q1/0047.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q1/0054.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q1/0207.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q1/0210.html)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q1/0395.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q1/0546.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0090.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0192.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0211.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0319.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0328.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0335.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0413.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0476.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0528.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0533.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0624.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0639.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0667.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0669.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0721.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/0763.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q2/580
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q3/0610.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q3/13
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q3/161.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q3/164.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q3/695
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q3/70.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q3/733.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q4/199
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q4/237).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q4/276.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q4/294.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q4/3
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q4/416
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q4/549.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q4/663.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2009/q4/82
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q1/13.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q2/1011
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q2/283.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q2/385.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q2/723.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q2/826.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q3/278
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q3/303.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q3/328.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q3/752).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q3/819.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q4/2).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q4/651
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q4/674)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2010/q4/761.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2011/q2/312
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2011/q2/428.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2011/q2/733).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2011/q3/15
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2011/q3/365
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2011/q3/556.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2011/q3/623.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2011/q3/906.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2011/q4/504.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2012/q1/359
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2012/q1/431
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2012/q2/204
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2012/q2/34
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2012/q2/449
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2012/q2/478
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2012/q2/593
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2012/q3/642
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2012/q4/138
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2012/q4/422.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2012/q4/504.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2013/q1/214.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2013/q1/58).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2013/q2/518.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2013/q3/80.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2013/q4/68)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2014/q2/120)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2014/q3/325
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2014/q3/415
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2015/q2/1
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2015/q2/169
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2015/q2/17
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2015/q2/170
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2015/q2/171
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2015/q3/8
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2015/q4/260
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2015/q4/60
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2015/q4/61
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2015/q4/62
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2016/q1/270
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2016/q1/271
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2016/q1/273
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2016/q4/110
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2016/q4/115
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://seclists.org/nmap-dev/2017/q2/140
Source: http-shellshock.nse.0.dr String found in binary or memory: http://seclists.org/oss-sec/2014/q3/685
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://sectools.org/nmap/.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://smatch.sourceforge.net/).
Source: http-iis-short-name-brute.nse.0.dr String found in binary or memory: http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://standards.ieee.org/regauth/oui/oui.txt
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://standards.ieee.org/regauth/oui/oui.txt)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://subversions.gnu.org/cgi-bin/cvsweb/config
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://target-server.com/~john).
Source: http-huawei-hg5xx-vuln.nse.0.dr String found in binary or memory: http://underground.org.mx)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://valgrind.kde.org
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://valgrind.kde.org/
Source: http-huawei-hg5xx-vuln.nse.0.dr String found in binary or memory: http://websec.ca/advisories/view/Huawei-HG520c-3.10.18.x-information-disclosure
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://wiki.wireshark.org/SLL
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.NetBSD.org/packages/net/nmap/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.altlinux.com/
Source: mongodb.lua.0.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.bamsoftware.com/wiki/nmap/EffectivenessOfPingProbes).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.benjamin-erb.de/nmap/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.bfk.de/bfk_dnslogger.html
Source: svchost.exe, 00000009.00000002.308872110.000001905A613000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.cisco.com/go/securityconsulting
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.csie.ntu.edu.tw/~cjlin/liblinear/).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.dca.ufrn.br/~joaomedeiros/radialnet)
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/nmap/files/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.geobytes.com/iplocator.htm).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.geoplugin.com/).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.google.com
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.iana.org/assignments/ipv4-address-space
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.iana.org/assignments/port-numbers).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.iana.org/assignments/protocol-numbers).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.insecure.org/)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.insecure.org/cgi-bin/servicefp-submit.cgi
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.insecure.org/stf/Nmap-4.00-Release.html
Source: realvnc-auth-bypass.nse.0.dr String found in binary or memory: http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.ip2hosts.com
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.kb.cert.org/vuls/id/154421).
Source: http-vuln-cve2009-3960.nse.0.dr String found in binary or memory: http://www.macromedia.com/2005/amfx
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.maxmind.com/app/ip-location).
Source: mongodb.lua.0.dr String found in binary or memory: http://www.mongodb.org/display/DOCS/Mongo
Source: vulns.lua.0.dr String found in binary or memory: http://www.openbsd.org/advisories/ftpd_replydirname.txt
Source: ssh1.lua.0.dr String found in binary or memory: http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/key.c.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.openssl.org/news/secadv_20020730.txt
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.openwall.com/Owl/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.openwall.com/Owl/)
Source: http-shellshock.nse.0.dr String found in binary or memory: http://www.openwall.com/lists/oss-security/2014/09/24/10
Source: qscan.nse.0.dr String found in binary or memory: http://www.owlnet.rice.edu/~elec428/projects/tinv.c
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.pcre.org/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.phrack.org/phrack/60/p60-0x0c.txt
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.robtex.com/dns/.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.robtex.com/ip/).
Source: http-vuln-cve2009-3960.nse.0.dr String found in binary or memory: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_
Source: dns-blacklist.nse.0.dr String found in binary or memory: http://www.sorbs.net/lookup.shtml?1.2.3.4
Source: nsyA5CF.tmp.0.dr String found in binary or memory: http://www.winpcap.org
Source: svchost.exe, 00000007.00000002.476594160.000001F50262A000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.476594160.000001F50262A000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.476594160.000001F50262A000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.308102764.000001905A661000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.476594160.000001F50262A000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.476594160.000001F50262A000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: http-slowloris-check.nse.0.dr String found in binary or memory: https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilit
Source: vulns.lua.0.dr String found in binary or memory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=
Source: distcc-cve2004-2687.nse.0.dr String found in binary or memory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
Source: realvnc-auth-bypass.nse.0.dr String found in binary or memory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2369
Source: http-shellshock.nse.0.dr String found in binary or memory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
Source: svchost.exe, 00000009.00000003.308243973.000001905A65C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000002.309782720.000001905A65E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.308102764.000001905A661000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000003.308285045.000001905A63D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000002.309782720.000001905A65E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000003.308102764.000001905A661000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.308285045.000001905A63D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.309782720.000001905A65E000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.308102764.000001905A661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000003.308285045.000001905A63D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.308102764.000001905A661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.308102764.000001905A661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.308102764.000001905A661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000003.308285045.000001905A63D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000003.308285045.000001905A63D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.308102764.000001905A661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.309773414.000001905A658000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: http-mcmp.nse.0.dr String found in binary or memory: https://developer.jboss.org/wiki/Mod-ClusterManagementProtocol
Source: distcc-cve2004-2687.nse.0.dr String found in binary or memory: https://distcc.github.io/security.html
Source: mongodb.lua.0.dr String found in binary or memory: https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/#wire-op-query
Source: svchost.exe, 00000009.00000003.308243973.000001905A65C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.309773414.000001905A658000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000002.309773414.000001905A658000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.308079069.000001905A664000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.308102764.000001905A661000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000003.308285045.000001905A63D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.286165955.000001905A631000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: nbd-info.nse.0.dr String found in binary or memory: https://github.com/NetworkBlockDevice/nbd/blob/master/doc/proto.md
Source: http-iis-short-name-brute.nse.0.dr String found in binary or memory: https://github.com/irsdl/IIS-ShortName-Scanner
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://github.com/nmap/nmap)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://github.com/nmap/nmap/pull/1571
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, NPFInstall.exe, 00000013.00000002.439870347.00007FF6AC970000.00000002.00020000.sdmp, NPFInstall.exe, 00000016.00000000.441473140.00007FF6C2AD0000.00000002.00020000.sdmp, NPFInstall.exe, 0000001A.00000002.449384905.00007FF6C2AD0000.00000002.00020000.sdmp, NPFInstall.exe, 0000001C.00000000.450409793.00007FF6C2AD0000.00000002.00020000.sdmp, WlanHelper.exe.5.dr String found in binary or memory: https://github.com/nmap/npcap)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://github.com/nmap/npcap/releases.
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: https://github.com/the-tcpdump-group/libpcap/D
Source: npcap-1.00.exe, 00000005.00000003.334932576.000000000078D000.00000004.00000001.sdmp, nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/6/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/7/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/URLUpdateInfohttps://nmap.org/download.htmlUninstallString
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/#translations.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/data-files-replacing-data-files.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/inst-macosx.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/inst-other-platforms.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/inst-windows.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/inst-windows.html#inst-win-source
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/inst-windows.html#inst-win-source.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/inst-windows.html#inst-win2k
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/install.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/install.html#inst-integrity
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/install.html#inst-integrity.
Source: nfs-showmount.nse.0.dr, ssh1.lua.0.dr, nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/man-legal.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/man-performance.html)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/man-runtime-interaction.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/man.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/ncat-man-command-options.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/ndiff-man.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nping-man-echo-mode.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nping-man.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-api.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-api.html#nse-api-networkio-raw
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-api.html#nse-api-registry.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-api.html#nse-mutex
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-api.html#nse-structured-output
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-api.html#nse-structured-output)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-library.html#nse-binlib
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-script-format.html#nse-format-dependencies
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-usage.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-usage.html#nse-args.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-usage.html#nse-categories
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-usage.html#nse-script-selection.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse-usage.html#nse-script-types.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nse.html)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/nsedoc.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/osdetect-guess.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/osdetect-methods.html#osdetect-ts
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/osdetect.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/output-formats-output-to-html.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/vscan.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/vscan.html.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/zenmap-filter.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/zenmap-lang.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/zenmap-scanning.html#aggregation.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/zenmap-topology.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/book/zenmap.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/cgi-bin/submit.cgi
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/dist/?C=M&O=D
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/dist/?C=M&O=D.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/dist/sigs/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/docs.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/download.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/man/de/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/man/fr/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/movies/#khottabych
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/ncat/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/ncat/)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/ncat/guide/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/ndiff/
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: https://nmap.org/npcap/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/npcap/)
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: https://nmap.org/npcap/AdminOnlySYSTEM
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/npcap/changelog
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: https://nmap.org/npcap/oem/
Source: npcap-1.00.exe, 00000005.00000003.334932576.000000000078D000.00000004.00000001.sdmp String found in binary or memory: https://nmap.org/npcap/oem/.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nping/.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/npsl/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/categories/brute.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/lib/comm.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/lib/nmap.html#condvar
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/lib/openssl.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/lib/stdnse.html#format_output.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/lib/stdnse.html#get_script_args).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/lib/stdnse.html#new_thread
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/lib/unpwdb.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/afp-brute.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/afp-path-vuln.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/afp-showmount.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/citrix-brute-xml.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/citrix-enum-apps-xml.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/citrix-enum-apps.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/citrix-enum-servers-xml.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/citrix-enum-servers.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/clock-skew.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/couchdb-databases.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/couchdb-stats.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/daap-get-library.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/db2-das-info.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/dhcp-discover.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/dns-service-discovery.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/http-date.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/http-enum.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/http-favicon.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/http-headers.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/http-malware-host.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/http-methods.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/http-userdir-enum.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/http-vmware-path-vuln.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/imap-capabilities.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/ipidseq.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/jdwp-version.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/ldap-brute.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/ldap-rootdse.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/ldap-search.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/lexmark-config.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/mongodb-databases.html)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/mongodb-info.html)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/mysql-brute.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/mysql-databases.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/mysql-empty-password.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/mysql-users.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/mysql-variables.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/nfs-acls.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/nfs-dirlist.html)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/nfs-showmount.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/nfs-statfs.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/ntp-info.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/oracle-sid-brute.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/oracle-tns-version.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/p2p-conficker.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/pgsql-brute.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/pjl-ready-message.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/qscan.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/smb-enum-users.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/smb-psexec.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/smbv2-enabled.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/snmp-interfaces.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/snmp-netstat.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/snmp-processes.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/snmp-win32-services.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/snmp-win32-shares.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/snmp-win32-software.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/snmp-win32-users.html).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/socks-open-proxy.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/ssl-cert.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/nsedoc/scripts/x11-access.html
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/oem
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/oem.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/oem/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/oem/RTL
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/psexec/nmap_service.exe.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/submit/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/submit/.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/svn/.
Source: dns-client-subnet-scan.nse.0.dr String found in binary or memory: https://nmap.org/svn/docs/licenses/BSD-simplified
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/svn/docs/nmap.xsl
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/svn/docs/sample-script.nse.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/svn/scripts/http-iis-webdav-vuln.nse.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/svn/todo/.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://nmap.org/zenmap/)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://npcap.org)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://npcap.org.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://npcap.org/)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://npcap.org/changelog.
Source: npcap-1.00.exe, 00000005.00000003.334932576.000000000078D000.00000004.00000001.sdmp String found in binary or memory: https://npcap.org/src/docs/Npcap-Third-Party-Open-Source.pdf
Source: distcc-cve2004-2687.nse.0.dr String found in binary or memory: https://nvd.nist.gov/vuln/detail/CVE-2004-2687
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://seclists.org/nmap-dev/2006/q4/126)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://seclists.org/nmap-dev/2013/q1/399)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://seclists.org/nmap-dev/2016/q4/168).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://seclists.org/nmap-dev/2018/q4/13
Source: npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, nsyA5CF.tmp.0.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, nsyA5CF.tmp.0.dr String found in binary or memory: https://sectigo.com/CPS0U
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, nsyA5CF.tmp.0.dr String found in binary or memory: https://secure.comodo.com/CPS0L
Source: npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp String found in binary or memory: https://secure.comodo.comex
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://secwiki.org/w/Nmap_On_Old_Windows_Releases.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://secwiki.org/w/Nmap_Script_Ideas.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/COPYING.
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/docs/3rd-party-licenses.txt
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/docs/committers.txt
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/docs/device-types.txt
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/docs/man-xlate/
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/docs/nmap.dtd
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/docs/nmap.usage.txt
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/docs/nmap.xsl
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/docs/nmap.xsl).
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/docs/nmap_gpgkeys.txt
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/docs/nmap_performance.reg
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://svn.nmap.org/nmap/docs/win32-installer-zenmap-buildguide.txt
Source: svchost.exe, 00000009.00000003.308285045.000001905A63D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.308872110.000001905A613000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.286165955.000001905A631000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.308285045.000001905A63D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.286165955.000001905A631000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.308424231.000001905A63A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.308285045.000001905A63D000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: npcap-1.00.exe, 00000005.00000003.334932576.000000000078D000.00000004.00000001.sdmp String found in binary or memory: https://tcpdump.org
Source: dns-client-subnet-scan.nse.0.dr String found in binary or memory: https://tools.ietf.org/html/rfc7871
Source: broadcast-jenkins-discover.nse.0.dr String found in binary or memory: https://wiki.jenkins.io/display/JENKINS/Auto-discovering
Source: nmap-7.91-setup.exe, 00000000.00000002.476043270.0000000000413000.00000004.00020000.sdmp, npcap-1.00.exe, 00000005.00000002.476070718.000000000040A000.00000004.00020000.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, WlanHelper.exe.5.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://www.gnu.org/licenses/gpl-2.0.html#SEC4
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: https://www.npcap.org
Source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp String found in binary or memory: https://www.npcap.orgURLUpdateInfoVersionMajorVersionMinorNoModifyNoRepairCheckStatus.batCreating
Source: libssl-1_1.dll.0.dr String found in binary or memory: https://www.openssl.org/H
Source: http-iis-short-name-brute.nse.0.dr String found in binary or memory: https://www.securityfocus.com/archive/1/523424
Source: vulns.lua.0.dr String found in binary or memory: https://www.securityfocus.com/bid/
Source: http-vuln-cve2009-3960.nse.0.dr String found in binary or memory: https://www.securityfocus.com/bid/38197
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://www.shodan.io)
Source: nsyA5CF.tmp.0.dr String found in binary or memory: https://www.shodan.io/)
Source: npcap-1.00.exe, 00000005.00000003.334932576.000000000078D000.00000004.00000001.sdmp String found in binary or memory: https://www.winpcap.org/.
Source: npcap-1.00.exe, 00000005.00000003.334932576.000000000078D000.00000004.00000001.sdmp String found in binary or memory: https://www.wireshark.org/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_0040514B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040514B
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_004048DE GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 5_2_004048DE
Creates a DirectInput object (often for capturing keystrokes)
Source: npcap-1.00.exe, 00000005.00000002.476870284.00000000006FA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Predator
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nsyA5CF.tmp, type: DROPPED
Install WinpCap (used to filter network traffic)
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\wpcap.dll Jump to behavior
Drops certificate files (DER)
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Program Files\Npcap\npcap.cat Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{60996993-5989-264d-969b-9d3975f7236e}\SET68CB.tmp Jump to dropped file
Source: C:\Program Files\Npcap\NPFInstall.exe File created: C:\Users\user\AppData\Local\Temp\{7e40bce9-63ed-3549-a69d-3044b7b23662}\SET63C9.tmp Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands:

barindex
Install WinpCap (used to filter network traffic)
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\wpcap.dll Jump to behavior

System Summary:

barindex
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC949590: GetProcessHeap,GetLastError,CreateFileW,HeapAlloc,DeviceIoControl,GetLastError,HeapFree,HeapAlloc,DeviceIoControl,GetLastError,HeapFree,CloseHandle,HeapFree,CloseHandle,HeapFree,CloseHandle,HeapFree,CloseHandle, 19_2_00007FF6AC949590
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_0040326C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040326C
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_004036E7 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 5_2_004036E7
Creates driver files
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Program Files\Npcap\npcap.sys Jump to behavior
Creates files inside the driver directory
Source: C:\Program Files\Npcap\NPFInstall.exe File created: C:\Windows\system32\DRIVERS\SET7FED.tmp
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Program Files\Npcap\NPFInstall.exe File deleted: C:\Windows\System32\drivers\SET7FED.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_0040495C 0_2_0040495C
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_0040635D 0_2_0040635D
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_00404E7A 5_2_00404E7A
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_00406AB6 5_2_00406AB6
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC946E30 19_2_00007FF6AC946E30
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC949590 19_2_00007FF6AC949590
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC969AD4 19_2_00007FF6AC969AD4
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC96A574 19_2_00007FF6AC96A574
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC96DF18 19_2_00007FF6AC96DF18
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC9657F4 19_2_00007FF6AC9657F4
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC944FD0 19_2_00007FF6AC944FD0
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC96281C 19_2_00007FF6AC96281C
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC953834 19_2_00007FF6AC953834
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC944010 19_2_00007FF6AC944010
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC95A78C 19_2_00007FF6AC95A78C
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC942930 19_2_00007FF6AC942930
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC94C0B0 19_2_00007FF6AC94C0B0
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC963220 19_2_00007FF6AC963220
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC953B14 19_2_00007FF6AC953B14
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC960244 19_2_00007FF6AC960244
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC944A50 19_2_00007FF6AC944A50
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC95529C 19_2_00007FF6AC95529C
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC95D280 19_2_00007FF6AC95D280
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC95D39C 19_2_00007FF6AC95D39C
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC9683B0 19_2_00007FF6AC9683B0
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC95CB90 19_2_00007FF6AC95CB90
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC95AC8C 19_2_00007FF6AC95AC8C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AC9AD4 22_2_00007FF6C2AC9AD4
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AA4FD0 22_2_00007FF6C2AA4FD0
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AA6E30 22_2_00007FF6C2AA6E30
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AC83B0 22_2_00007FF6C2AC83B0
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2ABD39C 22_2_00007FF6C2ABD39C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2ABCB90 22_2_00007FF6C2ABCB90
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2ABAC8C 22_2_00007FF6C2ABAC8C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AC3220 22_2_00007FF6C2AC3220
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AB3B14 22_2_00007FF6C2AB3B14
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AA4A50 22_2_00007FF6C2AA4A50
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AC0244 22_2_00007FF6C2AC0244
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AB529C 22_2_00007FF6C2AB529C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2ABD280 22_2_00007FF6C2ABD280
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AC57F4 22_2_00007FF6C2AC57F4
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AB3834 22_2_00007FF6C2AB3834
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AC281C 22_2_00007FF6C2AC281C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AA4010 22_2_00007FF6C2AA4010
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2ABA78C 22_2_00007FF6C2ABA78C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AA2930 22_2_00007FF6C2AA2930
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AAC0B0 22_2_00007FF6C2AAC0B0
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2ACA574 22_2_00007FF6C2ACA574
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AA9590 22_2_00007FF6C2AA9590
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2ACDF18 22_2_00007FF6C2ACDF18
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AC9AD4 26_2_00007FF6C2AC9AD4
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AA6E30 26_2_00007FF6C2AA6E30
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AC83B0 26_2_00007FF6C2AC83B0
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2ABD39C 26_2_00007FF6C2ABD39C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2ABCB90 26_2_00007FF6C2ABCB90
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2ABAC8C 26_2_00007FF6C2ABAC8C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AC3220 26_2_00007FF6C2AC3220
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AB3B14 26_2_00007FF6C2AB3B14
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AA4A50 26_2_00007FF6C2AA4A50
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AC0244 26_2_00007FF6C2AC0244
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AB529C 26_2_00007FF6C2AB529C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2ABD280 26_2_00007FF6C2ABD280
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AC57F4 26_2_00007FF6C2AC57F4
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AA4FD0 26_2_00007FF6C2AA4FD0
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AB3834 26_2_00007FF6C2AB3834
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AC281C 26_2_00007FF6C2AC281C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AA4010 26_2_00007FF6C2AA4010
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2ABA78C 26_2_00007FF6C2ABA78C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AA2930 26_2_00007FF6C2AA2930
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AAC0B0 26_2_00007FF6C2AAC0B0
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2ACA574 26_2_00007FF6C2ACA574
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AA9590 26_2_00007FF6C2AA9590
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2ACDF18 26_2_00007FF6C2ACDF18
Enables security privileges
Source: C:\Windows\System32\svchost.exe Process token adjusted: Security
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: String function: 00007FF6AC9423E0 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: String function: 00007FF6AC941100 appears 393 times
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: String function: 00406747 appears 59 times
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: String function: 00007FF6C2AA23E0 appears 88 times
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: String function: 00007FF6C2AA1100 appears 786 times
PE file contains strange resources
Source: nmap-7.91-setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nmap-7.91-setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nmap-7.91-setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nmap.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Uninstall.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Uninstall.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Uninstall.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: npcap-1.00.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: npcap-1.00.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: npcap-1.00.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Uninstall.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Uninstall.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Uninstall.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: nmap-7.91-setup.exe, 00000000.00000002.482871318.0000000003280000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs nmap-7.91-setup.exe
Source: nmap-7.91-setup.exe, 00000000.00000002.478286720.0000000002210000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameOLEACCRC.DLLj% vs nmap-7.91-setup.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: nmap-7.91-setup.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: C:\Program Files (x86)\Nmap\nselib\data\http-fingerprints.lua, type: DROPPED Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\nsyA5CF.tmp, type: DROPPED Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\nsyA5CF.tmp, type: DROPPED Matched rule: iKAT_tools_nmap date = 05.11.14, author = Florian Roth, description = Generic rule for NMAP - based on NMAP 4 standalone, license = https://creativecommons.org/licenses/by-nc/4.0/, score = http://ikat.ha.cked.net/Windows/functions/ikatfiles.html, hash = d0543f365df61e6ebb5e345943577cc40fca8682
Source: SET7FED.tmp.28.dr Binary string: \Device\NPCAP
Source: nsyA5CF.tmp.0.dr Binary string: names (like \Device\NPF_{28700713...}). You can see this mapping
Source: WlanHelper.exe.5.dr Binary string: \Device\NPCAP_WIFI_{%s}Error: makeOIDRequest::My_PacketOpenAdapter error (to use this function, you need to check the "Support raw 802.11 traffic" option when installing Npcap)
Source: SET7FED.tmp.28.dr Binary string: LoopbackAdapterLoopbackSupportSendToRxAdaptersBlockRxAdapters\Device\\DosDevices\AdminOnlyDltNullDot11SupportVlanSupportTimestampMode
Source: WlanHelper.exe.5.dr Binary string: \Device\NPCAP_WIFI_{%s}
Source: SET7FED.tmp.28.dr Binary string: \Device\Loopback
Source: nsyA5CF.tmp.0.dr Binary or memory string: is done building the Release version of mswin32/nmap.sln. If someone
Source: classification engine Classification label: mal40.spre.phis.bank.troj.adwa.evad.winEXE@37/881@0/1
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC9489F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 19_2_00007FF6AC9489F0
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AA89F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 22_2_00007FF6C2AA89F0
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AA89F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 26_2_00007FF6C2AA89F0
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_0040441B GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_0040441B
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC949CD0 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,GetLastError,_invalid_parameter_noinfo_noreturn,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW, 19_2_00007FF6AC949CD0
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3944:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2224:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:404:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3032:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Users\user\AppData\Local\Temp\nssA560.tmp Jump to behavior
Source: nmap-7.91-setup.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: NPFInstall.exe String found in binary or memory: -add_path
Source: NPFInstall.exe String found in binary or memory: -add_path
Source: NPFInstall.exe String found in binary or memory: -add_path
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File read: C:\Users\user\Desktop\nmap-7.91-setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\nmap-7.91-setup.exe 'C:\Users\user\Desktop\nmap-7.91-setup.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Process created: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe 'C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe' /loopback_support=no
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe 'C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe' -n -check_dll
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Program Files\Npcap\NPFInstall.exe 'C:\Program Files\Npcap\NPFInstall.exe' -n -c
Source: C:\Program Files\Npcap\NPFInstall.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Npcap\NPFInstall.exe Process created: C:\Windows\System32\pnputil.exe pnputil.exe -e
Source: C:\Windows\System32\pnputil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Program Files\Npcap\NPFInstall.exe 'C:\Program Files\Npcap\NPFInstall.exe' -n -iw
Source: C:\Program Files\Npcap\NPFInstall.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Program Files\Npcap\NPFInstall.exe 'C:\Program Files\Npcap\NPFInstall.exe' -n -i
Source: C:\Program Files\Npcap\NPFInstall.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p -s NetSetupSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k dcomlaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe '4' '0' 'C:\Users\user\AppData\Local\Temp\{7e40bce9-63ed-3549-a69d-3044b7b23662}\NPCAP.inf' '9' '405306be3' '00000000000001A8' 'WinSta0\Default' '00000000000001AC' '208' 'C:\Program Files\Npcap'
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR ''C:\Program Files\Npcap\CheckStatus.bat'' /NP
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Process created: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe 'C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe' /loopback_support=no Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe 'C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe' -n -check_dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Program Files\Npcap\NPFInstall.exe 'C:\Program Files\Npcap\NPFInstall.exe' -n -c Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Program Files\Npcap\NPFInstall.exe 'C:\Program Files\Npcap\NPFInstall.exe' -n -iw Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Program Files\Npcap\NPFInstall.exe 'C:\Program Files\Npcap\NPFInstall.exe' -n -i Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR ''C:\Program Files\Npcap\CheckStatus.bat'' /NP Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Program Files\Npcap\NPFInstall.exe Process created: C:\Windows\System32\pnputil.exe pnputil.exe -e
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe '4' '0' 'C:\Users\user\AppData\Local\Temp\{7e40bce9-63ed-3549-a69d-3044b7b23662}\NPCAP.inf' '9' '405306be3' '00000000000001A8' 'WinSta0\Default' '00000000000001AC' '208' 'C:\Program Files\Npcap'
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File written: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\shortcuts.ini Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Automated click: I Agree
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Automated click: Next >
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Automated click: I Agree
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Automated click: I Agree
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Automated click: I Agree
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Automated click: I Agree
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Automated click: I Agree
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Automated click: I Agree
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Automated click: I Agree
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Automated click: I Agree
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Automated click: I Agree
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Automated click: Next >
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Nmap.Press Page Down to see the rest of the agreement.For more information on this license see https://nmap.org/npsl/0. PreambleThe intent of this license is to establish freedom to share and change the software regulated by this license under the open source model. It also includes a Contributor Agreement and disclaims any warranty on Covered Software. Proprietary software companies wishing to use or incorporate Covered Software within their programs must contact Licensor to purchase a separate license. Open source developers who wish to incorporate parts of Covered Software into free software with conflicting licenses may write Licensor to request a waiver of terms.If the Nmap Project (directly or through one of it's commercial licensing customers) has granted you additional rights to Nmap or Nmap OEM those additional rights take precedence where they conflict with the terms of this license agreement.This License represents the complete agreement concerning subject matter hereof. It contains the license terms themselves but not the reasoning behind them or detailed explanations. For further information about this License see https://nmap.org/npsl/ . That page makes a good faith attempt to explain this License but it does not and can not modify its governing terms in any way.1. Definitions"Contribution" means any work of authorship including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof that is intentionally submitted to Licensor by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition "submitted" means any form of electronic verbal or written communication sent to the Licensor or its representatives including but not limited to communication on electronic mailing lists source code control systems web sites and issue tracking systems that are managed by or on behalf of the Licensor for the purpose of discussing and improving the Work but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution.""Contributor" means Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work."Covered Software" means the work of authorship whether in Source or Object form made available under the License as indicated by a copyright notice that is included in or attached to the work"Derivative Work" or "Collective Work" means any work whether in Source or Object form that is based on (or derived from) the Work and for which the editorial revisions annotations elaborations or other modifications represent as a whole an original work of authorship. It includes software as described in Section 3 of this License.
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Window detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\install.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\LICENSE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\DiagReport.bat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\DiagReport.ps1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\FixInstall.bat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\NPFInstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\npcap.sys Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\npcap.cat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\npcap.inf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\npcap_wfp.inf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Directory created: C:\Program Files\Npcap\CheckStatus.bat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Directory created: C:\Program Files\Npcap\NPFInstall.log Jump to behavior
Source: nmap-7.91-setup.exe Static PE information: certificate valid
Source: nmap-7.91-setup.exe Static file information: File size 27278840 > 1048576
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Release\WlanHelper.pdb&& source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, WlanHelper.exe.5.dr
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Release\NPFInstall.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Release\Packet.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Win10 Release\npcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Win7 Release\npcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\wpcap\build-x64\run\Release\wpcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Win7 Release\npcap.pdbGCTL source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Release\NpcapHelper.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Win10 Release\npcap.pdbGCTL source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, SET7FED.tmp.28.dr
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Release\WlanHelper.pdb%% source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Win7 Release\npcap.pdbGCTL source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Win7 Release\npcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Release\NPFInstall.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, NPFInstall.exe, 00000013.00000002.439870347.00007FF6AC970000.00000002.00020000.sdmp, NPFInstall.exe, 00000016.00000000.441473140.00007FF6C2AD0000.00000002.00020000.sdmp, NPFInstall.exe, 0000001A.00000002.449384905.00007FF6C2AD0000.00000002.00020000.sdmp, NPFInstall.exe, 0000001C.00000000.450409793.00007FF6C2AD0000.00000002.00020000.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Release\Packet.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Release\NpcapHelper.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Release\WlanHelper.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\wpcap\build-win32\run\Release\wpcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Release\WlanHelper.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, WlanHelper.exe.5.dr
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\Win10 Release\npcap.pdbGCTL source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp
Source: Binary string: C:\Users\nmap\Source\Repos\npcap\packetWin7\vs14\x64\Win10 Release\npcap.pdb source: npcap-1.00.exe, 00000005.00000002.479030257.0000000002836000.00000004.00000001.sdmp, NPFInstall.exe, 0000001C.00000003.459950516.000001364003F000.00000004.00000001.sdmp, drvinst.exe, 00000020.00000003.457559307.00000162FD71A000.00000004.00000001.sdmp, SET7FED.tmp.28.dr

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress, 5_2_10001D3B
PE file contains an invalid checksum
Source: nmap-7.91-setup.exe Static PE information: real checksum: 0x1a08b0e should be:
PE file contains sections with non-standard names
Source: nmap.exe.0.dr Static PE information: section name: _RDATA
Source: NPFInstall.exe.5.dr Static PE information: section name: _RDATA
Source: NPFInstall.exe0.5.dr Static PE information: section name: _RDATA

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Users\user\AppData\Local\Temp\nsb823.tmp\SimpleSC.dll Jump to dropped file
Source: C:\Program Files\Npcap\NPFInstall.exe File created: C:\Users\user\AppData\Local\Temp\{7e40bce9-63ed-3549-a69d-3044b7b23662}\SET63FA.tmp Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\nmap.exe Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\Uninstall.exe Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{60996993-5989-264d-969b-9d3975f7236e}\SET68FC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\Npcap\Packet.dll Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Program Files\Npcap\NPFInstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\zlibwapi.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\Npcap\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Program Files\Npcap\npcap.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\wpcap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\Packet.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Program Files\Npcap\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\Packet.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\Npcap\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\NpcapHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\wpcap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\NpcapHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Users\user\AppData\Local\Temp\nsb823.tmp\nsExec.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\Npcap\NpcapHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\Npcap\wpcap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Users\user\AppData\Local\Temp\nsb823.tmp\System.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\Npcap\wpcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\Npcap\NpcapHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Users\user\AppData\Local\Temp\nsb823.tmp\InstallOptions.dll Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\libssh2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\Npcap\Packet.dll Jump to dropped file
Source: C:\Program Files\Npcap\NPFInstall.exe File created: C:\Windows\System32\drivers\SET7FED.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\NpcapHelper.exe Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{60996993-5989-264d-969b-9d3975f7236e}\SET68FC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\Npcap\Packet.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\Npcap\NpcapHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\Npcap\wpcap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\Npcap\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\Npcap\wpcap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\wpcap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\Packet.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\Packet.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\Npcap\NpcapHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\Npcap\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\Npcap\Packet.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\System32\NpcapHelper.exe Jump to dropped file
Source: C:\Program Files\Npcap\NPFInstall.exe File created: C:\Windows\System32\drivers\SET7FED.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Windows\SysWOW64\wpcap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File created: C:\Program Files\Npcap\install.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe File created: C:\Program Files\Npcap\NPFInstall.log Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\3rd-party-licenses.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\LIBLINEAR-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\Libdnet-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\Lua-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\OpenSSL-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\PCRE-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\WinPcap-license.txt Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File created: C:\Program Files (x86)\Nmap\licenses\zlib-license.txt Jump to behavior

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR ''C:\Program Files\Npcap\CheckStatus.bat'' /NP
Creates or modifies windows services
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npcap\Parameters Jump to behavior
Modifies existing windows services
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npcap Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\pnputil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\pnputil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Npcap\NPFInstall.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC949CD0 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,GetLastError,_invalid_parameter_noinfo_noreturn,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW, 19_2_00007FF6AC949CD0
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC942780 SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,lstrlenW,lstrlenW, 19_2_00007FF6AC942780
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Npcap\NPFInstall.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{7e40bce9-63ed-3549-a69d-3044b7b23662}\SET63FA.tmp Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\Nmap\nmap.exe Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\Nmap\Uninstall.exe Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{60996993-5989-264d-969b-9d3975f7236e}\SET68FC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Npcap\Packet.dll Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\Nmap\zlibwapi.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\System32\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\System32\Npcap\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\System32\wpcap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\System32\Packet.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Program Files\Npcap\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Packet.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Npcap\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\System32\NpcapHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\wpcap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\NpcapHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\Nmap\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\WlanHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Npcap\NpcapHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\System32\Npcap\wpcap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Npcap\wpcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\Nmap\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\System32\Npcap\NpcapHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Dropped PE file which has not been started: C:\Windows\System32\Npcap\Packet.dll Jump to dropped file
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\Nmap\libssh2.dll Jump to dropped file
Source: C:\Program Files\Npcap\NPFInstall.exe Dropped PE file which has not been started: C:\Windows\System32\drivers\SET7FED.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Program Files\Npcap\NPFInstall.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Program Files\Npcap\NPFInstall.exe API coverage: 8.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5876 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File Volume queried: C:\Program Files (x86) FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe File Volume queried: C:\Program Files (x86) FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_00405646 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405646
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_0040601C FindFirstFileA,FindClose, 0_2_0040601C
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_00406775 FindFirstFileA,FindClose, 5_2_00406775
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_00405B99 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 5_2_00405B99
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_00402A84 FindFirstFileA, 5_2_00402A84
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC9657F4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 19_2_00007FF6AC9657F4
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC941220 FindFirstFileW,GetLastError,FindClose, 19_2_00007FF6AC941220
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AA1220 FindFirstFileW,GetLastError,FindClose, 22_2_00007FF6C2AA1220
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AC57F4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 22_2_00007FF6C2AC57F4
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AA1220 FindFirstFileW,GetLastError,FindClose, 26_2_00007FF6C2AA1220
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AC57F4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 26_2_00007FF6C2AC57F4
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: nsyA5CF.tmp.0.dr Binary or memory string: http-methods http-vmware-path-vuln ipidseq jdwp-version ldap-brute
Source: svchost.exe, 00000001.00000002.209848833.000001F7EAA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.290748383.000001EF84860000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.479179137.000001F503340000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.310029044.0000014A75940000.00000002.00000001.sdmp, NPFInstall.exe, 0000001C.00000002.471837050.0000013641FB0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 0000001E.00000003.469983677.0000021CC7F25000.00000004.00000001.sdmp Binary or memory string: &@vmnetextension
Source: nsyA5CF.tmp.0.dr Binary or memory string: and easy to exploit path-traversal vulnerability in VMWare
Source: vmauthd-brute.nse.0.dr Binary or memory string: if ( not( line:match("^220 VMware Authentication Daemon") ) ) then
Source: svchost.exe, 00000004.00000002.479582809.000001DE3764A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: nsyA5CF.tmp.0.dr Binary or memory string: VMWare Fusion running. The error message started with:
Source: nsyA5CF.tmp.0.dr Binary or memory string: name like "ssl/vmware-auth". The service will then be reported as
Source: nsyA5CF.tmp.0.dr Binary or memory string: + vmware-version queries VMWare SOAP API for version and product information.
Source: nsyA5CF.tmp.0.dr Binary or memory string: o [NSE] Added http-vmware-path-vuln.nse, which checks for a critical
Source: nsyA5CF.tmp.0.dr Binary or memory string: vmware-auth (or whatever follows "ssl/") tunneled by SSL, yet Nmap
Source: svchost.exe, 00000001.00000002.209848833.000001F7EAA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.290748383.000001EF84860000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.479179137.000001F503340000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.310029044.0000014A75940000.00000002.00000001.sdmp, NPFInstall.exe, 0000001C.00000002.471837050.0000013641FB0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: vmauthd-brute.nse.0.dr Binary or memory string: if ( line:match("^220 VMware Authentication Daemon.*SSL Required") ) then
Source: nsyA5CF.tmp.0.dr Binary or memory string: http-vmware-path-vuln.nse
Source: svchost.exe, 00000007.00000002.476651334.000001F502651000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.476927338.0000021E47629000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: nsyA5CF.tmp.0.dr Binary or memory string: Also added a couple unregistered OUI's (for QEMU and Bochs)
Source: svchost.exe, 0000001E.00000003.469983677.0000021CC7F25000.00000004.00000001.sdmp Binary or memory string: .@vmnetextension
Source: nsyA5CF.tmp.0.dr Binary or memory string: "getinterfaces: Failed to open ethernet interface (vmnet8). A
Source: nsyA5CF.tmp.0.dr Binary or memory string: VMWare Authentication Daemon (vmware-authd). [Patrik Karlsson]
Source: nsyA5CF.tmp.0.dr Binary or memory string: vmware-version.nse
Source: svchost.exe, 00000004.00000002.476256179.000001DE31E29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@@f7
Source: nsyA5CF.tmp.0.dr Binary or memory string: https://nmap.org/nsedoc/scripts/http-vmware-path-vuln.html . [Ron]
Source: vmauthd-brute.nse.0.dr Binary or memory string: portrule = shortport.port_or_service(902, {"ssl/vmware-auth", "vmware-auth"}, "tcp")
Source: nsyA5CF.tmp.0.dr Binary or memory string: + VMware ESX Server [Aleksey Tyurin]
Source: vmauthd-brute.nse.0.dr Binary or memory string: return false, "Failed to detect VMWare Authentication Daemon"
Source: nsyA5CF.tmp.0.dr Binary or memory string: svnserve, vmware, domain, backdoor, finger, freeciv, hp, imaps, irc,
Source: vmauthd-brute.nse.0.dr Binary or memory string: Performs brute force password auditing against the VMWare Authentication Daemon (vmware-authd).
Source: svchost.exe, 0000001E.00000003.469983677.0000021CC7F25000.00000004.00000001.sdmp Binary or memory string: @vmnetextension
Source: svchost.exe, 00000001.00000002.209848833.000001F7EAA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.290748383.000001EF84860000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.479179137.000001F503340000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.310029044.0000014A75940000.00000002.00000001.sdmp, NPFInstall.exe, 0000001C.00000002.471837050.0000013641FB0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: NPFInstall.exe, 0000001C.00000002.471094356.00000136400A1000.00000004.00000001.sdmp Binary or memory string: vmnetextensionll.cp.0.latn
Source: svchost.exe, 0000001E.00000003.470298852.0000021CC7F08000.00000004.00000001.sdmp Binary or memory string: ethernetwlanppipvmnetextensionAD}
Source: svchost.exe, 00000001.00000002.209848833.000001F7EAA60000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.290748383.000001EF84860000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.479179137.000001F503340000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.310029044.0000014A75940000.00000002.00000001.sdmp, NPFInstall.exe, 0000001C.00000002.471837050.0000013641FB0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC94ED8C GetLastError,IsDebuggerPresent,OutputDebugStringW, 19_2_00007FF6AC94ED8C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC94ED8C GetLastError,IsDebuggerPresent,OutputDebugStringW, 19_2_00007FF6AC94ED8C
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC949CD0 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,GetLastError,_invalid_parameter_noinfo_noreturn,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW, 19_2_00007FF6AC949CD0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Code function: 5_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress, 5_2_10001D3B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC949590 GetProcessHeap,GetLastError,CreateFileW,HeapAlloc,DeviceIoControl,GetLastError,HeapFree,HeapAlloc,DeviceIoControl,GetLastError,HeapFree,CloseHandle,HeapFree,CloseHandle,HeapFree,CloseHandle,HeapFree,CloseHandle, 19_2_00007FF6AC949590
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC94E4B8 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 19_2_00007FF6AC94E4B8
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC94DEF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00007FF6AC94DEF4
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC94E864 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FF6AC94E864
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC94EA10 SetUnhandledExceptionFilter, 19_2_00007FF6AC94EA10
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC954C1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00007FF6AC954C1C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AAE4B8 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 22_2_00007FF6C2AAE4B8
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AB4C1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_00007FF6C2AB4C1C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AAEA10 SetUnhandledExceptionFilter, 22_2_00007FF6C2AAEA10
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AAE864 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_00007FF6C2AAE864
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 22_2_00007FF6C2AADEF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_00007FF6C2AADEF4
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AAE4B8 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 26_2_00007FF6C2AAE4B8
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AB4C1C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_00007FF6C2AB4C1C
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AAEA10 SetUnhandledExceptionFilter, 26_2_00007FF6C2AAEA10
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AAE864 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_00007FF6C2AAE864
Source: C:\Program Files\Npcap\NPFInstall.exe Code function: 26_2_00007FF6C2AADEF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 26_2_00007FF6C2AADEF4

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe 'C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe' -n -check_dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Program Files\Npcap\NPFInstall.exe 'C:\Program Files\Npcap\NPFInstall.exe' -n -c Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Program Files\Npcap\NPFInstall.exe 'C:\Program Files\Npcap\NPFInstall.exe' -n -iw Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Program Files\Npcap\NPFInstall.exe 'C:\Program Files\Npcap\NPFInstall.exe' -n -i Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR ''C:\Program Files\Npcap\CheckStatus.bat'' /NP Jump to behavior
Source: C:\Program Files\Npcap\NPFInstall.exe Process created: C:\Windows\System32\pnputil.exe pnputil.exe -e
Source: nmap-7.91-setup.exe, 00000000.00000002.478211367.0000000000E00000.00000002.00000001.sdmp, npcap-1.00.exe, 00000005.00000002.477652706.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: nmap-7.91-setup.exe, 00000000.00000002.478211367.0000000000E00000.00000002.00000001.sdmp, npcap-1.00.exe, 00000005.00000002.477652706.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: nmap-7.91-setup.exe, 00000000.00000002.478211367.0000000000E00000.00000002.00000001.sdmp, npcap-1.00.exe, 00000005.00000002.477652706.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: nmap-7.91-setup.exe, 00000000.00000002.478211367.0000000000E00000.00000002.00000001.sdmp, npcap-1.00.exe, 00000005.00000002.477652706.0000000000D90000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC96DC30 cpuid 19_2_00007FF6AC96DC30
Queries device information via Setup API
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC942780 SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,lstrlenW,lstrlenW, 19_2_00007FF6AC942780
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\drvinst.exe Queries volume information: C:\Windows\System32\DriverStore\Temp\{60996993-5989-264d-969b-9d3975f7236e}\npcap.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe Code function: 19_2_00007FF6AC941100 GetLastError,GetCurrentThreadId,GetLocalTime,Sleep,SetLastError, 19_2_00007FF6AC941100
Source: C:\Users\user\Desktop\nmap-7.91-setup.exe Code function: 0_2_00405D43 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405D43
Source: C:\Windows\System32\drvinst.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: NPFInstall.exe, 0000001C.00000003.462118889.00000136400D5000.00000004.00000001.sdmp Binary or memory string: PGSETUP.EXE
Source: svchost.exe, 0000000B.00000002.476943666.0000019422102000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.476886558.0000019422051000.00000004.00000001.sdmp Binary or memory string: $@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: NPFInstall.exe, 0000001C.00000003.462118889.00000136400D5000.00000004.00000001.sdmp Binary or memory string: 123.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Predator
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nsyA5CF.tmp, type: DROPPED

Remote Access Functionality:

barindex
Yara detected Predator
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nsyA5CF.tmp, type: DROPPED
Contains VNC / remote desktop functionality (version string found)
Source: realvnc-auth-bypass.nse.0.dr String found in binary or memory: socket:send("RFB 003.008\n")
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs