Loading ...

Play interactive tourEdit tour

Analysis Report nmap-7.91-setup.exe

Overview

General Information

Sample Name:nmap-7.91-setup.exe
Analysis ID:432891
MD5:5df3bf0234f0c2af2c470f98243c788f
SHA1:7474a3c2c44e612387d1ff176179187ddc1b9bfc
SHA256:c4683097a2615252eeddab06c54872efb14c2ee2da8997b1c73844e582081a79
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher Predator
Score:40
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:50
Range:0 - 100

Signatures

Yara detected HtmlPhish10
Yara detected Predator
Changes security center settings (notifications, updates, antivirus, firewall)
Contains VNC / remote desktop functionality (version string found)
Install WinpCap (used to filter network traffic)
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Ncat Network tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • nmap-7.91-setup.exe (PID: 2432 cmdline: 'C:\Users\user\Desktop\nmap-7.91-setup.exe' MD5: 5DF3BF0234F0C2AF2C470F98243C788F)
    • npcap-1.00.exe (PID: 5912 cmdline: 'C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exe' /loopback_support=no MD5: FC8CB1B4677C90859AF51C8C664E755D)
      • NPFInstall.exe (PID: 2024 cmdline: 'C:\Users\user\AppData\Local\Temp\nsb823.tmp\NPFInstall.exe' -n -check_dll MD5: F93EEDCB0DF2EF914ED51CC927A1FDE9)
        • conhost.exe (PID: 2224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • NPFInstall.exe (PID: 2052 cmdline: 'C:\Program Files\Npcap\NPFInstall.exe' -n -c MD5: F93EEDCB0DF2EF914ED51CC927A1FDE9)
        • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • pnputil.exe (PID: 4008 cmdline: pnputil.exe -e MD5: F4C3BD7A47ACE4BEE4D864B299391DC1)
          • conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • NPFInstall.exe (PID: 6052 cmdline: 'C:\Program Files\Npcap\NPFInstall.exe' -n -iw MD5: F93EEDCB0DF2EF914ED51CC927A1FDE9)
        • conhost.exe (PID: 3032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • NPFInstall.exe (PID: 5212 cmdline: 'C:\Program Files\Npcap\NPFInstall.exe' -n -i MD5: F93EEDCB0DF2EF914ED51CC927A1FDE9)
        • conhost.exe (PID: 404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4876 cmdline: SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR ''C:\Program Files\Npcap\CheckStatus.bat'' /NP MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 4696 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1288 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3688 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4348 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5044 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3224 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6128 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5512 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 1956 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6024 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4744 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5204 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s DeviceInstall MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • drvinst.exe (PID: 5216 cmdline: DrvInst.exe '4' '0' 'C:\Users\user\AppData\Local\Temp\{7e40bce9-63ed-3549-a69d-3044b7b23662}\NPCAP.inf' '9' '405306be3' '00000000000001A8' 'WinSta0\Default' '00000000000001AC' '208' 'C:\Program Files\Npcap' MD5: 46F5A16FA391AB6EA97C602B4D2E7819)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Nmap\nselib\data\http-fingerprints.luaHacktool_Strings_p0wnedShellp0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.csFlorian Roth
  • 0x152c6:$x2: windows/meterpreter
C:\Program Files (x86)\Nmap\nmap-service-probesJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
    C:\Users\user\AppData\Local\Temp\nsyA5CF.tmpHacktool_Strings_p0wnedShellp0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.csFlorian Roth
    • 0x179e2a7:$x2: windows/meterpreter
    C:\Users\user\AppData\Local\Temp\nsyA5CF.tmpiKAT_tools_nmapGeneric rule for NMAP - based on NMAP 4 standaloneFlorian Roth
    • 0xc816e9:$s0: Insecure.Org
    • 0x42c9762:$s1: Copyright (c) Insecure.Com
    • 0x1bec9:$s2: Nmap
    • 0x1bed7:$s2: Nmap
    • 0x1bf11:$s2: nmap
    • 0x1c15a:$s2: Nmap
    • 0x1c1cd:$s2: Nmap
    • 0x1c1d5:$s2: Nmap
    • 0x1c335:$s2: nmap
    • 0x1d528:$s2: nmap
    • 0x1d536:$s2: nmap
    • 0x1d688:$s2: Nmap
    • 0x1e68c:$s2: Nmap
    • 0x1e720:$s2: Nmap
    • 0x1e794:$s2: nmap
    • 0x1ed4c:$s2: Nmap
    • 0x1ed76:$s2: Nmap
    • 0x1eefb:$s2: Nmap
    • 0x1ef8b:$s2: nmap
    • 0x22f43:$s2: Nmap
    • 0x22f74:$s2: Nmap
    C:\Users\user\AppData\Local\Temp\nsyA5CF.tmpJoeSecurity_PredatorYara detected PredatorJoe Security
      Click to see the 1 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Failed Code Integrity ChecksShow sources
      Source: Event LogsAuthor: Thomas Patzke: Data: EventID: 5038, Source: Microsoft-Windows-Security-Auditing, data 0: \Device\HarddiskVolume4\Windows\System32\drivers\npcap.sys

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected PredatorShow sources
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsyA5CF.tmp, type: DROPPED
      Source: 0.2.nmap-7.91-setup.exe.2c54f6a.2.unpackAvira: Label: TR/Patched.Ren.Gen

      Phishing:

      barindex
      Yara detected HtmlPhish10Show sources
      Source: Yara matchFile source: C:\Program Files (x86)\Nmap\nmap-service-probes, type: DROPPED

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: nmap-7.91-setup.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Found installer window with terms and condition textShow sources
      Source: C:\Users\user\Desktop\nmap-7.91-setup.exeWindow detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Nmap.Press Page Down to see the rest of the agreement.For more information on this license see https://nmap.org/npsl/0. PreambleThe intent of this license is to establish freedom to share and change the software regulated by this license under the open source model. It also includes a Contributor Agreement and disclaims any warranty on Covered Software. Proprietary software companies wishing to use or incorporate Covered Software within their programs must contact Licensor to purchase a separate license. Open source developers who wish to incorporate parts of Covered Software into free software with conflicting licenses may write Licensor to request a waiver of terms.If the Nmap Project (directly or through one of it's commercial licensing customers) has granted you additional rights to Nmap or Nmap OEM those additional rights take precedence where they conflict with the terms of this license agreement.This License represents the complete agreement concerning subject matter hereof. It contains the license terms themselves but not the reasoning behind them or detailed explanations. For further information about this License see https://nmap.org/npsl/ . That page makes a good faith attempt to explain this License but it does not and can not modify its governing terms in any way.1. Definitions"Contribution" means any work of authorship including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof that is intentionally submitted to Licensor by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition "submitted" means any form of electronic verbal or written communication sent to the Licensor or its representatives including but not limited to communication on electronic mailing lists source code control systems web sites and issue tracking systems that are managed by or on behalf of the Licensor for the purpose of discussing and improving the Work but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution.""Contributor" means Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work."Covered Software" means the work of authorship whether in Source or Object form made available under the License as indicated by a copyright notice that is included in or attached to the work"Derivative Work" or "Collective Work" means any work whether in Source or Object form that is based on (or derived from) the Work and for which the editorial revisions annotations elaborations or other modifications represent as a whole an original work of authorship. It includes software as described in Section 3 of this License.
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeWindow detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeWindow detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeWindow detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeWindow detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeWindow detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeWindow detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeWindow detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeWindow detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeWindow detected: I &AgreeCancelNullsoft Install System v2.51 Nullsoft Install System v2.51License AgreementPlease review the license terms before installing Npcap 1.00.Press Page Down to see the rest of the agreement.NPCAP COPYRIGHT / END USER LICENSE AGREEMENTNpcap is a Windows packet sniffing driver and library and is copyright(c) 2013-2020 by Insecure.Com LLC ("The Nmap Project"). All rightsreserved.Even though Npcap source code is publicly available for review it isnot open source software and may not be redistributed without specialpermission from the Nmap Project. The standard version is alsolimited to installation on five systems. We fund the Npcap project byselling two types of commercial licenses to a special Npcap OEMedition:1) Npcap OEM Redistribution License allows companies to redistributeNpcap with their products.2) Npcap OEM Internal Use License allows companies to use Npcap OEMinternally in excess of the free/demo version's normal 5-systemlimitation.Both of these licenses include updates and support as well as awarranty. Npcap OEM also includes a silent installer for unattendedinstallation. Further details about Npcap OEM are available fromhttps://nmap.org/npcap/oem/ and you are also welcome to contact us atsales@nmap.com to ask any questions or set up a license for yourorganization.Free and open source software producers are also welcome to contact usfor redistribution requests. However we normally recommend that suchauthors instead ask your users to download and install Npcap themselves.If the Nmap Project (directly or through one of our commerciallicensing customers) has granted you additional rights to Npcap orNpcap OEM those additional rights take precedence where they conflictwith the terms of this license agreement.Since the Npcap source code is available for download and reviewusers sometimes contribute code patches to fix bugs or add newfeatures. By sending these changes to the Nmap Project (includingthrough direct email or our mailing lists or submitting pull requeststhrough our source code repository) it is understood unless youspecify otherwise that you are offering the Nmap Project theunlimited non-exclusive right to reuse modify and relicence yourcode contribution so that we may (but are not obligated to)incorporate it into Npcap. If you wish to specify special licenseconditions or restrictions on your contributions just say so when yousend them.This copy of Npcap (the "Software") and accompanying documentation islicensed and not sold. This Software is protected by copyright lawsand treaties as well as laws and treaties related to other forms ofintellectual property. The Nmap Project owns intellectual propertyrights in the Software. The Licensee's ("you" or "your") license todownload use copy or change the Software is subject to these rightsand to all the terms and conditions of this End User License Agreement("Agreement").ACCEPTANCEBy accepting this agreement or by downloading installing using orcopying the Software or by cl
      Creates a directory in C:\Program FilesShow sources
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeDirectory created: C:\Program Files\NpcapJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeDirectory created: C:\Program Files\Npcap\install.logJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeDirectory created: C:\Program Files\Npcap\LICENSEJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeDirectory created: C:\Program Files\Npcap\DiagReport.batJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeDirectory created: C:\Program Files\Npcap\DiagReport.ps1Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeDirectory created: C:\Program Files\Npcap\FixInstall.batJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\nsyA5D0.tmp\npcap-1.00.exeDirectory created: C:\Program Files\Npcap\Uninstall.exe