File name:

npcap-1.60.exe

Full analysis: https://app.any.run/tasks/7d39450c-6642-4af6-84a7-9e0c4bebeb95
Verdict: Malicious activity
Analysis date: February 01, 2022, 15:58:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

3081D2266918768DA067A99F767E2A0B

SHA1:

C1844016B5E991449EE1E62D44A312065D83E354

SHA256:

87D3624772B8272767A3A4FFCCEECC3052489CD09E494A6C352DCE5E5EFA4070

SSDEEP:

24576:XZj8sCxPBp6wNLhYFzQLZxWRSuus56m4IpW1u0kFaa+Kp96vhZKj:12JpXGhes4m4GW1ut+i9+Cj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • npcap-1.60.exe (PID: 3024)
      • NPFInstall.exe (PID: 2596)
      • DrvInst.exe (PID: 2524)

    • Loads dropped or rewritten executable

      • npcap-1.60.exe (PID: 3024)

    • Changes settings of System certificates

      • certutil.exe (PID: 2084)
      • certutil.exe (PID: 2440)

    • Application was dropped or rewritten from another process

      • NPFInstall.exe (PID: 2172)
      • NPFInstall.exe (PID: 3728)
      • NPFInstall.exe (PID: 2596)
      • NPFInstall.exe (PID: 3652)

    • Uses Task Scheduler to run other applications

      • ns843C.tmp (PID: 700)

    • Loads the Task Scheduler COM API

      • SCHTASKS.EXE (PID: 2024)

  • SUSPICIOUS

    • Creates a directory in Program Files

      • npcap-1.60.exe (PID: 3024)

    • Reads the computer name

      • npcap-1.60.exe (PID: 3024)
      • NPFInstall.exe (PID: 2172)
      • NPFInstall.exe (PID: 2596)
      • DrvInst.exe (PID: 2524)
      • NPFInstall.exe (PID: 3652)
      • powershell.exe (PID: 2664)

    • Checks supported languages

      • npcap-1.60.exe (PID: 3024)
      • NPFInstall.exe (PID: 2172)
      • ns417F.tmp (PID: 1704)
      • ns4401.tmp (PID: 496)
      • ns446F.tmp (PID: 1412)
      • ns44DD.tmp (PID: 1332)
      • NPFInstall.exe (PID: 3728)
      • ns4627.tmp (PID: 3628)
      • NPFInstall.exe (PID: 2596)
      • DrvInst.exe (PID: 2524)
      • ns45B9.tmp (PID: 3768)
      • NPFInstall.exe (PID: 3652)
      • ns7FE6.tmp (PID: 2508)
      • powershell.exe (PID: 2664)
      • ns843C.tmp (PID: 700)

    • Reads Environment values

      • npcap-1.60.exe (PID: 3024)
      • vssvc.exe (PID: 3060)

    • Drops a file that was compiled in debug mode

      • npcap-1.60.exe (PID: 3024)
      • NPFInstall.exe (PID: 2596)
      • DrvInst.exe (PID: 2524)

    • Creates files in the program directory

      • NPFInstall.exe (PID: 2172)
      • npcap-1.60.exe (PID: 3024)

    • Creates files in the Windows directory

      • npcap-1.60.exe (PID: 3024)
      • certutil.exe (PID: 2084)
      • certutil.exe (PID: 2440)
      • DrvInst.exe (PID: 2524)
      • pnputil.exe (PID: 2632)
      • NPFInstall.exe (PID: 2596)

    • Executable content was dropped or overwritten

      • npcap-1.60.exe (PID: 3024)
      • NPFInstall.exe (PID: 2596)
      • DrvInst.exe (PID: 2524)

    • Starts application with an unusual extension

      • npcap-1.60.exe (PID: 3024)

    • Creates a software uninstall entry

      • npcap-1.60.exe (PID: 3024)

    • Removes files from Windows directory

      • certutil.exe (PID: 2084)
      • certutil.exe (PID: 2440)
      • DrvInst.exe (PID: 2524)
      • NPFInstall.exe (PID: 2596)

    • Executed via COM

      • DrvInst.exe (PID: 2524)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 2524)
      • NPFInstall.exe (PID: 2596)

    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 2524)

    • Executed as Windows Service

      • vssvc.exe (PID: 3060)

    • Creates or modifies windows services

      • npcap-1.60.exe (PID: 3024)

    • Executes PowerShell scripts

      • ns7FE6.tmp (PID: 2508)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • npcap-1.60.exe (PID: 3024)

    • Checks supported languages

      • certutil.exe (PID: 2084)
      • certutil.exe (PID: 2440)
      • pnputil.exe (PID: 2632)
      • rundll32.exe (PID: 3112)
      • vssvc.exe (PID: 3060)
      • SCHTASKS.EXE (PID: 2024)

    • Reads the computer name

      • certutil.exe (PID: 2440)
      • certutil.exe (PID: 2084)
      • pnputil.exe (PID: 2632)
      • rundll32.exe (PID: 3112)
      • vssvc.exe (PID: 3060)
      • SCHTASKS.EXE (PID: 2024)

    • Reads settings of System Certificates

      • certutil.exe (PID: 2084)
      • rundll32.exe (PID: 3112)
      • DrvInst.exe (PID: 2524)
      • NPFInstall.exe (PID: 2596)

    • Checks Windows Trust Settings

      • DrvInst.exe (PID: 2524)
      • rundll32.exe (PID: 3112)
      • NPFInstall.exe (PID: 2596)
      • powershell.exe (PID: 2664)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 2524)

    • Searches for installed software

      • DrvInst.exe (PID: 2524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 1.6
ProductName: Npcap
LegalCopyright: Copyright (c) 2021, Insecure.Com LLC. All rights reserved.
FileVersion: 1.6
FileDescription: Npcap 1.60 installer
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 5.1.60.1129
FileVersionNumber: 5.1.60.1129
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x3a59
UninitializedDataSize: 2048
InitializedDataSize: 152576
CodeSize: 28160
LinkerVersion: 6
PEType: PE32
TimeStamp: 2021:07:25 00:40:31+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Jul-2021 22:40:31
Detected languages:
  • English - United States
FileDescription: Npcap 1.60 installer
FileVersion: 1.60
LegalCopyright: Copyright (c) 2021, Insecure.Com LLC. All rights reserved.
ProductName: Npcap
ProductVersion: 1.60

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 24-Jul-2021 22:40:31
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006D73
0x00006E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45544
.rdata
0x00008000
0x000013EC
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.21696
.data
0x0000A000
0x00022D18
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.59112
.ndata
0x0002D000
0x00021000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0004E000
0x00004490
0x00004600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.89367

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.28961
1070
UNKNOWN
English - United States
RT_MANIFEST
2
5.9993
3752
UNKNOWN
English - United States
RT_ICON
3
6.24459
2216
UNKNOWN
English - United States
RT_ICON
4
5.01502
1384
UNKNOWN
English - United States
RT_ICON
5
6.16057
1128
UNKNOWN
English - United States
RT_ICON
6
3.34146
744
UNKNOWN
English - United States
RT_ICON
7
3.04232
296
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.6691
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.67385
512
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
22
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start npcap-1.60.exe ns417f.tmp no specs npfinstall.exe no specs ns4401.tmp no specs certutil.exe no specs ns446f.tmp no specs certutil.exe no specs ns44dd.tmp no specs npfinstall.exe no specs pnputil.exe no specs ns45b9.tmp no specs npfinstall.exe no specs ns4627.tmp no specs npfinstall.exe drvinst.exe rundll32.exe no specs vssvc.exe no specs ns7fe6.tmp no specs powershell.exe no specs ns843c.tmp no specs schtasks.exe no specs npcap-1.60.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\ns4401.tmp" certutil -addstore -f "Root" "C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\roots.p7b"C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\ns4401.tmpnpcap-1.60.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nspef95.tmp\ns4401.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
700"C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\ns843C.tmp" SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'C:\Program Files\Npcap\CheckStatus.bat'" /NPC:\Users\admin\AppData\Local\Temp\nspEF95.tmp\ns843C.tmpnpcap-1.60.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nspef95.tmp\ns843c.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1164"C:\Users\admin\AppData\Local\Temp\npcap-1.60.exe" C:\Users\admin\AppData\Local\Temp\npcap-1.60.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Npcap 1.60 installer
Exit code:
3221226540
Version:
1.60
Modules
Images
c:\users\admin\appdata\local\temp\npcap-1.60.exe
c:\windows\system32\ntdll.dll
1332"C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\ns44DD.tmp" "C:\Program Files\Npcap\NPFInstall.exe" -n -cC:\Users\admin\AppData\Local\Temp\nspEF95.tmp\ns44DD.tmpnpcap-1.60.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nspef95.tmp\ns44dd.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1412"C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\ns446F.tmp" certutil -addstore -f "TrustedPublisher" "C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\signing.p7b"C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\ns446F.tmpnpcap-1.60.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nspef95.tmp\ns446f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1704"C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\ns417F.tmp" "C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\NPFInstall.exe" -n -check_dllC:\Users\admin\AppData\Local\Temp\nspEF95.tmp\ns417F.tmpnpcap-1.60.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nspef95.tmp\ns417f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2024SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'C:\Program Files\Npcap\CheckStatus.bat'" /NPC:\Windows\system32\SCHTASKS.EXEns843C.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2084certutil -addstore -f "Root" "C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\roots.p7b"C:\Windows\system32\certutil.exens4401.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7601.18151 (win7sp1_gdr.130512-1533)
Modules
Images
c:\windows\system32\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\certcli.dll
c:\windows\system32\atl.dll
2172"C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\NPFInstall.exe" -n -check_dllC:\Users\admin\AppData\Local\Temp\nspEF95.tmp\NPFInstall.exens417F.tmp
User:
admin
Company:
Insecure.Com LLC.
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.60
Modules
Images
c:\users\admin\appdata\local\temp\nspef95.tmp\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2440certutil -addstore -f "TrustedPublisher" "C:\Users\admin\AppData\Local\Temp\nspEF95.tmp\signing.p7b"C:\Windows\system32\certutil.exens446F.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7601.18151 (win7sp1_gdr.130512-1533)
Modules
Images
c:\windows\system32\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\certcli.dll
c:\windows\system32\atl.dll
Total events
13 769
Read events
13 415
Write events
353
Delete events
1

Modification events

(PID) Process:(3024) npcap-1.60.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Npcap
Operation:writeName:AdminOnly
Value:
0
(PID) Process:(3024) npcap-1.60.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Npcap
Operation:writeName:WinPcapCompatible
Value:
1
(PID) Process:(3024) npcap-1.60.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Npcap
Operation:writeName:(default)
Value:
C:\Program Files\Npcap
(PID) Process:(3024) npcap-1.60.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst
Operation:writeName:UninstallString
Value:
"C:\Program Files\Npcap\uninstall.exe"
(PID) Process:(3024) npcap-1.60.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\Npcap\uninstall.exe" /S
(PID) Process:(3024) npcap-1.60.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Npcap\uninstall.exe
(PID) Process:(3024) npcap-1.60.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst
Operation:writeName:UninstallPath
Value:
C:\Program Files\Npcap
(PID) Process:(2084) certutil.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2084) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Operation:writeName:Blob
Value:
0300000001000000140000000563B8630D62D75ABBC8AB1E4BDFB5A899B24D432000000001000000BB030000308203B73082029FA00302010202100CE7E0E517D846FE8FE560FC1BF03039300D06092A864886F70D01010505003065310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312430220603550403131B4469676943657274204173737572656420494420526F6F74204341301E170D3036313131303030303030305A170D3331313131303030303030305A3065310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312430220603550403131B4469676943657274204173737572656420494420526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100AD0E15CEE443805CB187F3B760F97112A5AEDC269488AAF4CEF520392858600CF880DAA9159532613CB5B128848A8ADC9F0A0C83177A8F90AC8AE779535C31842AF60F98323676CCDEDD3CA8A2EF6AFB21F25261DF9F20D71FE2B1D9FE1864D2125B5FF9581835BC47CDA136F96B7FD4B0383EC11BC38C33D9D82F18FE280FB3A783D6C36E44C061359616FE599C8B766DD7F1A24B0D2BFF0B72DA9E60D08E9035C678558720A1CFE56D0AC8497C3198336C22E987D0325AA2BA138211ED39179D993A72A1E6FAA4D9D5173175AE857D22AE3F014686F62879C8B1DAE45717C47E1C0EB0B492A656B3BDB297EDAAA7F0B7C5A83F9516D0FFA196EB085F18774F0203010001A3633061300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E0416041445EBA2AFF492CB82312D518BA7A7219DF36DC80F301F0603551D2304183016801445EBA2AFF492CB82312D518BA7A7219DF36DC80F300D06092A864886F70D01010505000382010100A20EBCDFE2EDF0E372737A6494BFF77266D832E4427562AE87EBF2D5D9DE56B39FCCCE1428B90D97605C124C58E4D33D834945589735691AA847EA56C679AB12D8678184DF7F093C94E6B8262C20BD3DB32889F75FFF22E297841FE965EF87E0DFC16749B35DEBB2092AEB26ED78BE7D3F2BF3B726356D5F8901B6495B9F01059BAB3D25C1CCB67FC2F16F86C6FA6468EB812D94EB42B7FA8C1EDD62F1BE5067B76CBDF3F11F6B0C3607167F377CA95B6D7AF112466083D72704BE4BCE97BEC3672A6811DF80E70C3366BF130D146EF37F1F63101EFA8D1B256D6C8FA5B76101B1D2A326A110719DADE2C3F9C39951B72B0708CE2EE650B2A7FA0A452FA2F0F2
(PID) Process:(2084) certutil.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
Operation:writeName:Blob
Value:
0300000001000000140000005FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC252000000001000000C9030000308203C5308202ADA003020102021002AC5C266A0B409B8F0B79F2AE462577300D06092A864886F70D0101050500306C310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312B30290603550403132244696769436572742048696768204173737572616E636520455620526F6F74204341301E170D3036313131303030303030305A170D3331313131303030303030305A306C310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312B30290603550403132244696769436572742048696768204173737572616E636520455620526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100C6CCE573E6FBD4BBE52D2D32A6DFE5813FC9CD2549B6712AC3D5943467A20A1CB05F69A640B1C4B7B28FD098A4A941593AD3DC94D63CDB7438A44ACC4D2582F74AA5531238EEF3496D71917E63B6ABA65FC3A484F84F6251BEF8C5ECDB3892E306E508910CC4284155FBCB5A89157E71E835BF4D72093DBE3A38505B77311B8DB3C724459AA7AC6D00145A04B7BA13EB510A984141224E656187814150A6795C89DE194A57D52EE65D1C532C7E98CD1A0616A46873D03404135CA171D35A7C55DB5E64E13787305604E511B4298012F1793988A202117C2766B788B778F2CA0AA838AB0A64C2BF665D9584C1A1251E875D1A500B2012CC41BB6E0B5138B84BCB0203010001A3633061300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E04160414B13EC36903F8BF4701D498261A0802EF63642BC3301F0603551D23041830168014B13EC36903F8BF4701D498261A0802EF63642BC3300D06092A864886F70D010105050003820101001C1A0697DCD79C9F3C886606085721DB2147F82A67AABF183276401057C18AF37AD911658E35FA9EFC45B59ED94C314BB891E8432C8EB378CEDBE3537971D6E5219401DA55879A2464F68A66CCDE9C37CDA834B1699B23C89E78222B7043E35547316119EF58C5852F4E30F6A0311623C8E7E2651633CBBF1A1BA03DF8CA5E8B318B6008892D0C065C52B7C4F90A98D1155F9F12BE7C366338BD44A47FE4262B0AC497690DE98CE2C01057B8C876129155F24869D8BC2A025B0F44D42031DBF4BA70265D90609EBC4B17092FB4CB1E4368C90727C1D25CF7EA21B968129C3C9CBF9EFC805C9B63CDEC47AA252767A037F300827D54D7A9F8E92E13A377E81F4A
Executable files
29
Suspicious files
19
Text files
12
Unknown types
12

Dropped files

PID
Process
Filename
Type
3024npcap-1.60.exeC:\Program Files\Npcap\DiagReport.ps1text
MD5:4B2C9DC5C04AB8279AA5100CE7C9242B
SHA256:1CD3A7B9DB274FDE732CF9F73F9934B4659F41D77D9A931E21EF4C1BE444047A
3024npcap-1.60.exeC:\Users\admin\AppData\Local\Temp\nspEF95.tmp\NPFInstall.exeexecutable
MD5:3404B0CC27F27F3C2269EC59E737C8BE
SHA256:615815F22D6562AB1336433D05702371673218AA285EB2A92009DEDCB53863D0
3024npcap-1.60.exeC:\Program Files\Npcap\DiagReport.battext
MD5:B82606A6AFB3777D62E35E8D9850FAED
SHA256:0843361F05255E3970ED955171C20003238756C57137FEF9AC19D29FBD49F9F6
3024npcap-1.60.exeC:\Windows\system32\Npcap\Packet.dllexecutable
MD5:11FF6FE0CE86DCF88097613E88147D34
SHA256:9751BF77EEBF9B5DB6F2B59E1399FF3EDA0E22D9DCEDCE35AEF5CF447F5106AB
3024npcap-1.60.exeC:\Windows\system32\WlanHelper.exeexecutable
MD5:702F9B51C8DE5C44C86759562F9EEFF6
SHA256:E97C1C05A9E18D8B53567E80DB1BB538F7AFB279A8BBA922BAF61A046BE949A1
3024npcap-1.60.exeC:\Program Files\Npcap\LICENSEtext
MD5:8A34E953E4AB7BB7FB3F66F07C3747EB
SHA256:8896763A2F38C20128D9FCE92DA20BBD04CF91531B976053E7F55C1339E135CF
2172NPFInstall.exeC:\Program Files\Npcap\NPFInstall.logtext
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
3024npcap-1.60.exeC:\Windows\system32\Packet.dllexecutable
MD5:11FF6FE0CE86DCF88097613E88147D34
SHA256:9751BF77EEBF9B5DB6F2B59E1399FF3EDA0E22D9DCEDCE35AEF5CF447F5106AB
3024npcap-1.60.exeC:\Windows\system32\Npcap\wpcap.dllexecutable
MD5:0EC812F5D8A1B680CAA272D798F4788D
SHA256:9F1D5A92D5DD7F15D62EBFF1F99755015D3E591933D45E6D246353E7986BFB58
3024npcap-1.60.exeC:\Windows\system32\wpcap.dllexecutable
MD5:0EC812F5D8A1B680CAA272D798F4788D
SHA256:9F1D5A92D5DD7F15D62EBFF1F99755015D3E591933D45E6D246353E7986BFB58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
npcap-1.60.exe