99f690503d8e968e7b9576e1b835d7274c5c93e12b473b78df844fbe81cf3352

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nessus-10.7.2-x64.msi
Size

100.4MB
MD5

1f37134300996d73b90e303ed43015b0
SHA1

76902f797742ba3737c98227bde0d6d17041d4ec
SHA256

99f690503d8e968e7b9576e1b835d7274c5c93e12b473b78df844fbe81cf3352
SHA512

aabfada28cc0ef764c800c207d9d03ada7c7e8eec543ebea653c1f999c052a4e02142c18419e446a432fe68010f3cb6855f3df3356f8202a71243eebac7060e0
SSDEEP

1572864:wmptsYXW8boLwo9N9l+uPhsw1OFe2h+ZdhwBasWvEghI3yuLsa2Phzsu8oGK++h:aYm8b8GJWO4JdhwBasWrhIRLsf4u8K

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

5988 powershell.exe
1220 powershell.exe

pid	process
5988	powershell.exe
1220	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

NPFInstall.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SET998C.tmp	NPFInstall.exe
File created	C:\Windows\system32\DRIVERS\SET998C.tmp	NPFInstall.exe
File opened for modification	C:\Windows\system32\DRIVERS\npcap.sys	NPFInstall.exe

Manipulates Digital Signatures 1 TTPs 8 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.execertutil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3\Blob = 03000000010000001400000060ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e32000000001000000c0060000308206bc308205a4a003020102021003f1b4e15f3a82f1149678b3d7d8475c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3132303431383132303030305a170d3237303431383132303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e672043412028534841322930820122300d06092a864886f70d01010105000382010f003082010a0282010100a753fa0fb2b513f164cf8480fcae8035d1b6d7c7a32cac1a2cacf184ac3a35123a9291ba57e4c4c9f32fa8483cb7d66edc9722ba517961af432f0db79bb44931ae44583ea4a196a7874f237ec36c652490553ea1ca237cc542e9c47a62459b7dde6374cb9e6325f8849a9aad454fae7d1fc813cb759bc9e1e18af80b0c98f4ca3ed045aa7a1ea558933634be2b2e2b315866b432109f9df052a1efe83ed376f2405adcfa6a3d1b4bad76b08c5cee36ba83ea30a84cdef10b2a584188ae0089ab03d11682202276eb5e54381262e1d27024dbed1f70d26409802de2b69dce1ff2bb21f36cdbd8b3197b8a509fefec360a5c9ab74ad308a03979fdddbf3d3a09250203010001a38203583082035430120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307f06082b0601050507010104733071302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304906082b06010505073002863d687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63727430818f0603551d1f0481873081843040a03ea03c863a687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c3040a03ea03c863a687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0302308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e301d0603551d0e041604148fe87ef06d326a000523c770976a3a90ff6bead4301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d01010b0500038201010019334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\Blob = 0300000001000000140000003ba63a6e4841355772debef9cdcf4d5af353a2972000000001000000350500003082053130820419a00302010202100aa125d6d6321b7e41e405da3697c215300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3136303130373132303030305a170d3331303130373132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd032ee4bcd8f7fdda9ba8299c539542857b6234ac40e07453351107dd0f97d4d687ee7b6a0f48db388e497bf63219098bf13bc57d3c3e17e08d66a140038f72e1e3beecca6f63259fe5f653fe09bebe34647061a557e0b277ec0a2f5a0e0de223f0eff7e95fbf3a3ba223e18ac11e4f099036d3b857c09d3ee5dc89a0b54e3a809716be0cf22100f75cf71724e0aaddf403a5cb751e1a17914c64d2423305dbcec3c606aac2f07ccfdf0ea47d988505efd666e56612729898451e682e74650fd942a2ca7e4753eba980f847f9f3114d6add5f264cb7b1e05d084197217f11706ef3dcdd64def0642fda2532a4f851dc41d3cafcfdaac10f5ddacace956ff930203010001a38201ce308201ca301d0603551d0e04160414f4b6e1201dfe29aed2e461a5b2a225b2c817356e301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f30120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070308307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c30500603551d20044930473038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c0701300d06092a864886f70d01010b05000382010100719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3\Blob = 030000000100000014000000e1d782a8e191beef6bca1691b5aab494a6249bf3200000000100000002050000308204fe308203e6a00302010202100d424ae0be3a88ff604021ce1400f0dd300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e67204341301e170d3231303130313030303030305a170d3331303130363030303030305a3048310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3120301e0603550403131744696769436572742054696d657374616d70203230323130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2e6618467c58af50d08a445ca636b51d73a1142bd0a75754d94b40c50b52610fe1dc86f916b0c96e71a5c48ef44e5bf9b61cd1591625ab8ff670b9c63fd366a81fa29f8dd2b7085de0218f3786dbc7df9c76d093dbe6a7687e98abdf8845d1e76c9e4c676763a53d1d1d35a368fc6a3e12f1b3ab761d673ec4e6d338a7c5d452d4bb150e6413a375686dc93238df75025e864e6ddd38f2f57b58720eb0e8e2cd523daf44d7846e3038331294a5c0c318a4a8c88c5f7305af914af155f6c434909fd262353f68d63e81aab5bb11d30c29b6982b4dbfc5654bc1fa187abbe7a5b0a202f4b09c995a78db2fad6638b4ea5721cee9f7a0173f819d6fe0d4984bd010203010001a38201b8308201b4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830410603551d20043a3038303606096086480186fd6c07013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053301f0603551d23041830168014f4b6e1201dfe29aed2e461a5b2a225b2c817356e301d0603551d0e041604143644868ea4bab066bebc282d1d4436dde36a7abc30710603551d1f046a30683032a030a02e862c687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c3032a030a02e862c687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c30818506082b0601050507010104793077302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304f06082b060105050730028643687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572745348413241737375726564494454696d657374616d70696e6743412e637274300d06092a864886f70d01010b05000382010100481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C0D087ECDCC76D1084ABE00F1FEE5040400AE37\Blob = 0300000001000000140000003c0d087ecdcc76d1084abe00f1fee5040400ae372000000001000000c6050000308205c2308204aaa00302010202100aa60783ebb5076ebc2d12da9b04c290300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3231303530353030303030305a170d3234303631303233353935395a3081d2311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a6ec814ee2c7075e2e29ac7ebd10b6188055929370a213b83fb6e337d82ed0756d15e267f6bc645e6db5bb1d586ef1098ead1595147d03897af04b666aa5a50def2b3af23974896c6fb4f5246baf3ec374dbfd90eeec7575ffb11a6efea7a0d7da0adb04eaf000b1ad520d9e9529b2a8cf420998d4c7a46c1f95e405e35f69ad8c05d62df0f9745017a6284134afba26f905d900da1c412200e6ca5c6b148f3f785aa0ebe35ea9160644bd6924b54625eb404ab39db981f6b216b6dd960930a1443b26aab08cdbcf1c5fd74dbb56c3e9df791f8429401dee5869e90c39f95000fc616b5ac8396b588e24407235ea074328c608112f6cb4f07347cd4d28d28ab90203010001a38201f7308201f3301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e04160414c5b210483c7598f90d32838cd0763d3cd85fef5130350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304a0603551d2004433041303606096086480186fd6c03023029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008b2182887ada0e08e4afe89019ded16e88ff6ff1b12fd9b2994b945b8c76c63862ae35a1751672c474c8575a039250105e346bb7ce7ae1f2494e760de418b9453f1bbac9255b0dccafd296adb3cdb49d46d54c3413bfc34a3e640e244da7b1e1dbd1b04cea414ff64fe57f0ef28944a42e41065548e4834f2b05d4aae8516a1f154c5b09af25fe059a69a7dc75a7deb4cf3068c402614ece0509edf02b0968b5c8d1081cdafcfba3b7c1599256e6685ef7391f46746eaf829bc8fd40f55be70a3fc51142648b78a903e750158328cb80d54aaddce82df8fe983b0e36af4dafbdbdffe8896bee9a93c370e77f735fe9c42fc2259a3e5672e9f75f37ecf7104e53	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9\Blob = 0300000001000000140000004ce89794fe2d2f7e30121f10bcf76ac3ccf77ca92000000001000000c7050000308205c3308204aba003020102021009256314069e7e6a88cb823075c0d9c9300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3230303530313030303030305a170d3231303530373132303030305a3081d231133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a88cd713346c50a5cd2a62900419f091330f9820b73b38785a8b5a25ceda8e11b71b2d11ff4b0c18cad405a2a195a6462619fa3ddf6d14466a350d1cf1c6ad48cce166fe6011a62ee62751046dd264b1cc145c4a4354537cec1ae615b6b8566a28ddf3b510fee92023dbe4190b44bb4174f94c4ec62256bd4aa5ba541ee833388db8cc411365e094ee6314eaff59ca6659bb6388300e7ffbd0f8b299889b8e3ea526f8ca926ded79eac89a6b068757ae428022e2602ec98babf5998216b0c28a709129a1300872878d9971e3130826a7d1ce894fe649a017003f07ee3c53ca0cba998fab097e573723fbd3e0ea1b742dd6d076b4c2284b93500021a7d27109630203010001a38201f8308201f4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604140a9c208099309acdddf9c9909a03890dcd30c8ea30350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010042368fc33025a2a1338cf35a08d00e263958f825e79b6d3af23e0e4e4cf59bc8502022d452cbba14a53274e3a12a5b01f4aee16abfcb1b28d63484a0ae1995c9759c6f0970254da8902fb479f5f7869a566aa285f2c28e50096dfd2e14a9ecf0000963c570d2338def108dfe66b1e44d22182826749871a7f3977eba4976910f1f0de866fc75b918c1a9f466fcf96ae90df932071b9c770f0f3193f8ca500abe52cc316549403a5ca5b5422d1ebffffc3cbe3b926de552f493b53c6570fdd0736550f080c2db204b03bc00ff724241581b5dfb0dff7b8f2cc28f136c19cca8bd4b3c3d81404e69f4598e7b5458e41c6f2e6622a212d28c2615565782a1f66987	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe

Modifies file permissions 1 TTPs 11 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
5920	icacls.exe
6108	icacls.exe
5400	icacls.exe
5252	icacls.exe
5296	icacls.exe
5760	icacls.exe
6072	icacls.exe
4872	icacls.exe
5164	icacls.exe
5204	icacls.exe
4040	icacls.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

5 1176 msiexec.exe
7 1176 msiexec.exe

flow	pid	process
5	1176	msiexec.exe
7	1176	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 34 IoCs

Processes:

DrvInst.exeNPFInstall.exenpcap-1.72-oem.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\SET966F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.72-oem.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.72-oem.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\SET967F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.72-oem.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.72-oem.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.72-oem.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.72-oem.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\SET966F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\NPCAP.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_234c5ff4bad41de2\npcap.PNF	NPFInstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\SET9680.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_234c5ff4bad41de2\npcap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_234c5ff4bad41de2\NPCAP.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\SET967F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\SET9680.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\npcap.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.72-oem.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.72-oem.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_234c5ff4bad41de2\npcap.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	NPFInstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 29 IoCs

Processes:

npcap-1.72-oem.exemsiexec.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Program Files\Npcap\install.log	npcap-1.72-oem.exe
File created	C:\Program Files\Npcap\DiagReport.bat	npcap-1.72-oem.exe
File created	C:\Program Files\Tenable\Nessus\ndbg.exe	msiexec.exe
File created	C:\Program Files\Tenable\Nessus\nessus-service.exe	msiexec.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\CheckStatus.bat	npcap-1.72-oem.exe
File created	C:\Program Files\Tenable\Nessus\legacy.dll	msiexec.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\DiagReport.ps1	npcap-1.72-oem.exe
File created	C:\Program Files\Npcap\NPFInstall.exe	npcap-1.72-oem.exe
File created	C:\Program Files\Tenable\Nessus\icudt73.dll	msiexec.exe
File created	C:\Program Files\Tenable\Nessus\icuuc73.dll	msiexec.exe
File created	C:\Program Files\Tenable\Nessus\nessuscli.exe	msiexec.exe
File created	C:\Program Files\Tenable\Nessus\openssl.exe	msiexec.exe
File created	C:\Program Files\Npcap\LICENSE	npcap-1.72-oem.exe
File created	C:\Program Files\Tenable\Nessus\Nessus Web Client.url	msiexec.exe
File created	C:\Program Files\Tenable\Nessus\nasl.exe	msiexec.exe
File created	C:\Program Files\Tenable\Nessus\nessusd.exe	msiexec.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\FixInstall.bat	npcap-1.72-oem.exe
File created	C:\Program Files\Npcap\npcap.cat	npcap-1.72-oem.exe
File created	C:\Program Files\Npcap\npcap_wfp.inf	npcap-1.72-oem.exe
File created	C:\Program Files\Tenable\Nessus\License.rtf	msiexec.exe
File created	C:\Program Files\Npcap\Uninstall.exe	npcap-1.72-oem.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\npcap.sys	npcap-1.72-oem.exe
File created	C:\Program Files\Npcap\npcap.inf	npcap-1.72-oem.exe
File created	C:\Program Files\Tenable\Nessus\.winperms	MsiExec.exe
File created	C:\Program Files\Tenable\Nessus\fips.dll	msiexec.exe

Drops file in Windows directory 50 IoCs

Processes:

msiexec.exeNPFInstall.exeDrvInst.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\mfcm140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\{CC376B82-356C-4C15-AC6A-3895C182965D}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIAFDA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI60E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI736A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\msvcp140_codecvt_ids.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI686B.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\mfcm140u.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F14.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\vcruntime140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\e5851b5.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\mfc140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5445.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CC376B82-356C-4C15-AC6A-3895C182965D}	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87FE.tmp	msiexec.exe
File created	C:\Windows\Installer\e5851b5.msi	msiexec.exe
File created	C:\Windows\INF\oem3.PNF	NPFInstall.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\mfcm140u.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\Installer\e5851b7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8D4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\vcruntime140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\mfc140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\mfc140u.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\mfcm140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\{CC376B82-356C-4C15-AC6A-3895C182965D}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\msvcp140_codecvt_ids.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\28B673CCC65351C4CAA683591C2869D5\10.7.2\mfc140u.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Executes dropped EXE 64 IoCs

Processes:

ISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeVC_redist.x64.exeVC_redist.x64.exeISBEW64.exeISBEW64.exe

pid	process
1108	ISBEW64.exe
1220	ISBEW64.exe
5088	ISBEW64.exe
3936	ISBEW64.exe
936	ISBEW64.exe
2956	ISBEW64.exe
3144	ISBEW64.exe
1392	ISBEW64.exe
5096	ISBEW64.exe
4428	ISBEW64.exe
32	ISBEW64.exe
5132	ISBEW64.exe
5172	ISBEW64.exe
5212	ISBEW64.exe
5256	ISBEW64.exe
5352	ISBEW64.exe
5388	ISBEW64.exe
5424	ISBEW64.exe
5460	ISBEW64.exe
5504	ISBEW64.exe
5676	ISBEW64.exe
5720	ISBEW64.exe
5756	ISBEW64.exe
5792	ISBEW64.exe
5828	ISBEW64.exe
5916	ISBEW64.exe
5948	ISBEW64.exe
5980	ISBEW64.exe
6012	ISBEW64.exe
6044	ISBEW64.exe
32	ISBEW64.exe
5132	ISBEW64.exe
5184	ISBEW64.exe
2528	ISBEW64.exe
5236	ISBEW64.exe
5268	ISBEW64.exe
5344	ISBEW64.exe
4396	ISBEW64.exe
5420	ISBEW64.exe
5456	ISBEW64.exe
5668	ISBEW64.exe
5716	ISBEW64.exe
5752	ISBEW64.exe
5772	ISBEW64.exe
5800	ISBEW64.exe
5880	ISBEW64.exe
5900	ISBEW64.exe
5952	ISBEW64.exe
5984	ISBEW64.exe
6016	ISBEW64.exe
5732	ISBEW64.exe
5772	ISBEW64.exe
5816	ISBEW64.exe
5876	ISBEW64.exe
5960	ISBEW64.exe
6064	ISBEW64.exe
6068	ISBEW64.exe
3896	ISBEW64.exe
6100	ISBEW64.exe
4124	ISBEW64.exe
5124	VC_redist.x64.exe
5140	VC_redist.x64.exe
5524	ISBEW64.exe
2456	ISBEW64.exe

Loads dropped DLL 61 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeVC_redist.x64.exenpcap-1.72-oem.exenessuscli.exeopenssl.exenessusd.exe

pid	process
472	MsiExec.exe
472	MsiExec.exe
472	MsiExec.exe
472	MsiExec.exe
472	MsiExec.exe
472	MsiExec.exe
392	MsiExec.exe
392	MsiExec.exe
392	MsiExec.exe
392	MsiExec.exe
392	MsiExec.exe
392	MsiExec.exe
392	MsiExec.exe
392	MsiExec.exe
392	MsiExec.exe
392	MsiExec.exe
392	MsiExec.exe
392	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
5140	VC_redist.x64.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
6028	npcap-1.72-oem.exe
6028	npcap-1.72-oem.exe
6028	npcap-1.72-oem.exe
6028	npcap-1.72-oem.exe
6028	npcap-1.72-oem.exe
6028	npcap-1.72-oem.exe
6028	npcap-1.72-oem.exe
6028	npcap-1.72-oem.exe
6028	npcap-1.72-oem.exe
6028	npcap-1.72-oem.exe
6028	npcap-1.72-oem.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
656	nessuscli.exe
656	nessuscli.exe
656	nessuscli.exe
656	nessuscli.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
5724	openssl.exe
5684	nessusd.exe
5684	nessusd.exe
5684	nessusd.exe
5684	nessusd.exe
5684	nessusd.exe
472	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 43 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeDrvInst.exeNPFInstall.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	NPFInstall.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000073c7eb973396fb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000073c7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900073c7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d073c7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000073c7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exepowershell.exepowershell.exemsiexec.execertutil.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%systemroot%\system32\wsdapi.dll,-200 = "Trusted Devices"	certutil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\SessEnv.dll,-101 = "Remote Desktop"	certutil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\CertCA.dll,-304 = "Endorsement Key Trusted Root Certification Authorities"	certutil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\Version = "168230914"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\28B673CCC65351C4CAA683591C2869D5\Nessus_Server	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\ProductName = "Tenable Nessus (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\PackageCode = "EB42ECE00F8035C458058655A3881D2A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\ProductIcon = "C:\\Windows\\Installer\\{CC376B82-356C-4C15-AC6A-3895C182965D}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\28B673CCC65351C4CAA683591C2869D5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7F97AA483E2482746973407E53970BEC\28B673CCC65351C4CAA683591C2869D5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7F97AA483E2482746973407E53970BEC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\SourceList\PackageName = "Nessus-10.7.2-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\28B673CCC65351C4CAA683591C2869D5\AdvertiseFlags = "388"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exeNPFInstall.exepowershell.exepowershell.exe

pid	process
4828	chrome.exe
4828	chrome.exe
5932	NPFInstall.exe
5932	NPFInstall.exe
5988	powershell.exe
5988	powershell.exe
5988	powershell.exe
1220	powershell.exe
1220	powershell.exe
1220	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4828 chrome.exe
4828 chrome.exe
4828 chrome.exe

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1176	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1176	msiexec.exe
Token: SeSecurityPrivilege	4976	msiexec.exe
Token: SeCreateTokenPrivilege	1176	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1176	msiexec.exe
Token: SeLockMemoryPrivilege	1176	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1176	msiexec.exe
Token: SeMachineAccountPrivilege	1176	msiexec.exe
Token: SeTcbPrivilege	1176	msiexec.exe
Token: SeSecurityPrivilege	1176	msiexec.exe
Token: SeTakeOwnershipPrivilege	1176	msiexec.exe
Token: SeLoadDriverPrivilege	1176	msiexec.exe
Token: SeSystemProfilePrivilege	1176	msiexec.exe
Token: SeSystemtimePrivilege	1176	msiexec.exe
Token: SeProfSingleProcessPrivilege	1176	msiexec.exe
Token: SeIncBasePriorityPrivilege	1176	msiexec.exe
Token: SeCreatePagefilePrivilege	1176	msiexec.exe
Token: SeCreatePermanentPrivilege	1176	msiexec.exe
Token: SeBackupPrivilege	1176	msiexec.exe
Token: SeRestorePrivilege	1176	msiexec.exe
Token: SeShutdownPrivilege	1176	msiexec.exe
Token: SeDebugPrivilege	1176	msiexec.exe
Token: SeAuditPrivilege	1176	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1176	msiexec.exe
Token: SeChangeNotifyPrivilege	1176	msiexec.exe
Token: SeRemoteShutdownPrivilege	1176	msiexec.exe
Token: SeUndockPrivilege	1176	msiexec.exe
Token: SeSyncAgentPrivilege	1176	msiexec.exe
Token: SeEnableDelegationPrivilege	1176	msiexec.exe
Token: SeManageVolumePrivilege	1176	msiexec.exe
Token: SeImpersonatePrivilege	1176	msiexec.exe
Token: SeCreateGlobalPrivilege	1176	msiexec.exe
Token: SeCreateTokenPrivilege	1176	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1176	msiexec.exe
Token: SeLockMemoryPrivilege	1176	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1176	msiexec.exe
Token: SeMachineAccountPrivilege	1176	msiexec.exe
Token: SeTcbPrivilege	1176	msiexec.exe
Token: SeSecurityPrivilege	1176	msiexec.exe
Token: SeTakeOwnershipPrivilege	1176	msiexec.exe
Token: SeLoadDriverPrivilege	1176	msiexec.exe
Token: SeSystemProfilePrivilege	1176	msiexec.exe
Token: SeSystemtimePrivilege	1176	msiexec.exe
Token: SeProfSingleProcessPrivilege	1176	msiexec.exe
Token: SeIncBasePriorityPrivilege	1176	msiexec.exe
Token: SeCreatePagefilePrivilege	1176	msiexec.exe
Token: SeCreatePermanentPrivilege	1176	msiexec.exe
Token: SeBackupPrivilege	1176	msiexec.exe
Token: SeRestorePrivilege	1176	msiexec.exe
Token: SeShutdownPrivilege	1176	msiexec.exe
Token: SeDebugPrivilege	1176	msiexec.exe
Token: SeAuditPrivilege	1176	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1176	msiexec.exe
Token: SeChangeNotifyPrivilege	1176	msiexec.exe
Token: SeRemoteShutdownPrivilege	1176	msiexec.exe
Token: SeUndockPrivilege	1176	msiexec.exe
Token: SeSyncAgentPrivilege	1176	msiexec.exe
Token: SeEnableDelegationPrivilege	1176	msiexec.exe
Token: SeManageVolumePrivilege	1176	msiexec.exe
Token: SeImpersonatePrivilege	1176	msiexec.exe
Token: SeCreateGlobalPrivilege	1176	msiexec.exe
Token: SeCreateTokenPrivilege	1176	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1176	msiexec.exe
Token: SeLockMemoryPrivilege	1176	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

msiexec.exechrome.exe

pid	process
1176	msiexec.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exechrome.exe

description	pid	process	target process
PID 4976 wrote to memory of 472	4976	msiexec.exe	MsiExec.exe
PID 4976 wrote to memory of 472	4976	msiexec.exe	MsiExec.exe
PID 4976 wrote to memory of 472	4976	msiexec.exe	MsiExec.exe
PID 472 wrote to memory of 1108	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 1108	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 1220	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 1220	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 5088	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 5088	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 3936	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 3936	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 936	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 936	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 2956	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 2956	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 3144	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 3144	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 1392	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 1392	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 5096	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 5096	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 4428	472	MsiExec.exe	ISBEW64.exe
PID 472 wrote to memory of 4428	472	MsiExec.exe	ISBEW64.exe
PID 4828 wrote to memory of 412	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 412	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3140	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3400	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3400	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3132	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3132	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3132	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3132	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3132	4828	chrome.exe	chrome.exe
PID 4828 wrote to memory of 3132	4828	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Nessus-10.7.2-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1176

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 50DD8C1330A4508CE48E0519B43CA56D C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472

C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3E71E37A-EE56-4A32-B06E-AA249C29B03B}
3⤵
- Executes dropped EXE
PID:1108

C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5250E337-D58B-4490-9BA1-AAE250754F99}
3⤵
- Executes dropped EXE
PID:1220

C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4DC88C3B-1450-4751-86E9-8E882D631053}
3⤵
- Executes dropped EXE
PID:5088

C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CDB0B59D-D711-47F3-9244-7E4BFBA30DD3}
3⤵
- Executes dropped EXE
PID:3936

C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9222F097-1BE8-47D9-9BDE-0E43AFCD73AB}
3⤵
- Executes dropped EXE
PID:936

C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F1DE72E5-AECC-4399-B9AA-E6CDB808B121}
3⤵
- Executes dropped EXE
PID:2956

C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0BEAD7BF-B173-4A9F-8537-8B3B8B325D00}
3⤵
- Executes dropped EXE
PID:3144

C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{25777D01-3559-41CB-BA1D-2202F36255CC}
3⤵
- Executes dropped EXE
PID:1392

C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E12AE6CE-A734-44C8-B331-1F98578BD84D}
3⤵
- Executes dropped EXE
PID:5096

C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DA597505-42A9-4F78-9363-8EFB4B382AEB}
3⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2696

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 75981CAC03DC4EDC05A1860773309620
2⤵
- Loads dropped DLL
PID:392

C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8727E67B-6142-4263-AE31-D5DB8305EA3D}
3⤵
- Executes dropped EXE
PID:32

C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E8932B1E-10B2-429B-B481-850665C568A3}
3⤵
- Executes dropped EXE
PID:5132

C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AFBC0ECE-A701-480F-8E6D-39F825CC5157}
3⤵
- Executes dropped EXE
PID:5172

C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{288EA7D6-99D6-4D70-A785-6009C52AFA27}
3⤵
- Executes dropped EXE
PID:5212

C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0714AEA3-43B3-4CD2-8BCA-C41E6B73933E}
3⤵
- Executes dropped EXE
PID:5256

C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{799C9C14-F596-4E91-8819-2682D676F895}
3⤵
- Executes dropped EXE
PID:5352

C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F7D91BC-1E7A-43DF-B324-079BA06F942A}
3⤵
- Executes dropped EXE
PID:5388

C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E48CD7C5-0BDB-4C6E-90C5-D3C092BB1863}
3⤵
- Executes dropped EXE
PID:5424

C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{13C80741-C612-4701-8B6E-C1F7D8B8EEEA}
3⤵
- Executes dropped EXE
PID:5460

C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BAFFE20F-60BA-44DB-8532-247A215E865E}
3⤵
- Executes dropped EXE
PID:5504

C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FD029F42-38D9-46F3-918B-F7D2705261F3}
3⤵
- Executes dropped EXE
PID:5676

C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{37320AA1-ADD0-45FE-9257-35F6092C983B}
3⤵
- Executes dropped EXE
PID:5720

C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{202CE4A3-3058-4513-98F7-ECA5F9CFF534}
3⤵
- Executes dropped EXE
PID:5756

C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F6807FC1-B700-4644-8501-918DBE5DF7A9}
3⤵
- Executes dropped EXE
PID:5792

C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6456C0C6-6DB2-491B-8756-5EFCBF9ED824}
3⤵
- Executes dropped EXE
PID:5828

C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B109E5F0-6387-44BA-A7D8-F272D29C2834}
3⤵
- Executes dropped EXE
PID:5916

C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B73C381F-2AD8-46BF-A388-4975055CFCF0}
3⤵
- Executes dropped EXE
PID:5948

C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A3850D4E-4234-48EA-BC37-A20BD049E131}
3⤵
- Executes dropped EXE
PID:5980

C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CE7C81CE-08B8-4B9C-A390-B20AF2352902}
3⤵
- Executes dropped EXE
PID:6012

C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{355A8A05-B693-432D-BE9C-08E90749F119}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C8B087F8-038F-4C2E-9DB3-775B68E56EAB}
3⤵
- Executes dropped EXE
PID:6044

C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F5878709-52C8-4A02-BA01-93CF600F87D0}
3⤵
- Executes dropped EXE
PID:32

C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E8731C71-D2F6-40AD-8087-457CCAE70B34}
3⤵
- Executes dropped EXE
PID:5132

C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{29B18DB9-27E2-4FD9-95B3-FA160F04A3A5}
3⤵
- Executes dropped EXE
PID:5184

C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5273937B-CDCA-42BD-8FC8-8E592FF7BBA7}
3⤵
- Executes dropped EXE
PID:2528

C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{56CB0E41-F16C-49B9-A293-07389F90FE38}
3⤵
- Executes dropped EXE
PID:5236

C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{94CA18B9-9DDD-48BA-A251-662759FE5DD6}
3⤵
- Executes dropped EXE
PID:5268

C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FF2FE1CE-C76E-4B21-A616-FFE60A894B1D}
3⤵
- Executes dropped EXE
PID:5344

C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{830F58B2-BB5A-4E4D-8726-0F6CFBCDE3F8}
3⤵
- Executes dropped EXE
PID:4396

C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6D8BB513-6D51-4DCC-8E2C-01B988ACA240}
3⤵
- Executes dropped EXE
PID:5420

C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{B8203D47-2E69-4320-992D-13216497D3EE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D8E2909C-DA0E-4C5F-94B5-EAD7156158B9}
3⤵
- Executes dropped EXE
PID:5456

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 413B04412322F1BDF9324120FAF9C61B E Global\MSI0000
2⤵
- Drops file in Program Files directory
- Loads dropped DLL
PID:4276

C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8ED63069-81A5-490C-A2D5-5CC4D2AA21A2}
3⤵
- Executes dropped EXE
PID:5668

C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{846E0A31-21AB-4739-A00E-3DB2579CE4B3}
3⤵
- Executes dropped EXE
PID:5716

C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{824728F8-6783-4C82-8616-612A09335031}
3⤵
- Executes dropped EXE
PID:5752

C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D833C93C-E755-43E7-901C-A2CB15FF1B11}
3⤵
- Executes dropped EXE
PID:5772

C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{78530013-08B4-4715-B8BD-D1A7AC87DA7E}
3⤵
- Executes dropped EXE
PID:5800

C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ABD2E375-DFCC-40DA-8BF8-D674FB2BF806}
3⤵
- Executes dropped EXE
PID:5880

C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90CF1C58-B12E-4986-8E66-55F01277F757}
3⤵
- Executes dropped EXE
PID:5900

C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F109AB6-BE43-45A7-BEFE-898FD8AA175F}
3⤵
- Executes dropped EXE
PID:5952

C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CF2A89E5-A75C-414E-A026-A6D1A60D0237}
3⤵
- Executes dropped EXE
PID:5984

C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{9A89A202-1580-4AF8-800B-E058D31AC2E8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7FBCFFB4-EFF5-4126-9CBD-39EF0C49C5CC}
3⤵
- Executes dropped EXE
PID:6016

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Tenable\Nessus" /t /q /inheritance:d
3⤵
- Modifies file permissions
PID:6072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:6044

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Tenable\Nessus" /t /q /remove *S-1-5-32-545
3⤵
- Modifies file permissions
PID:5920

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Tenable\Nessus" /t /q /remove *S-1-5-11
3⤵
- Modifies file permissions
PID:6108

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Tenable\Nessus" /t /q /grant *S-1-5-32-545:(CI)(OI)RX
3⤵
- Modifies file permissions
PID:4872

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Tenable\Nessus\*" /t /q /reset
3⤵
- Modifies file permissions
PID:5164

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Tenable\Nessus" /t /q /inheritance:d
3⤵
- Modifies file permissions
PID:5204

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Tenable\Nessus" /t /q /remove *S-1-5-32-545
3⤵
- Modifies file permissions
PID:4040

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Tenable\Nessus" /t /q /remove *S-1-5-11
3⤵
- Modifies file permissions
PID:5252

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Tenable\Nessus" /t /q /grant *S-1-5-32-545:(CI)(OI)RX
3⤵
- Modifies file permissions
PID:5296

C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Tenable\Nessus\*" /t /q /reset
3⤵
- Modifies file permissions
PID:5400

C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A8660BE4-A129-47CB-97E8-4776CF2C600B}
3⤵
- Executes dropped EXE
PID:5732

C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{56491045-E377-4F71-AA63-5F3D18DBC3FE}
3⤵
- Executes dropped EXE
PID:5772

C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{557130CE-EF39-4F5A-A25C-6BC262893BC4}
3⤵
- Executes dropped EXE
PID:5816

C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{638C1D6C-F8CA-4BC7-80BC-E4CC72D689A4}
3⤵
- Executes dropped EXE
PID:5876

C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66DC722D-1DC6-44DE-BDFF-9CD1A1FA3317}
3⤵
- Executes dropped EXE
PID:5960

C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C5CE0E13-8D39-49A3-A892-BCDF9307376D}
3⤵
- Executes dropped EXE
PID:6064

C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{461E582A-E9A1-4862-8B98-306B6E121315}
3⤵
- Executes dropped EXE
PID:6068

C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0C5D28F2-FB53-4BD1-9F3A-9DF008679832}
3⤵
- Executes dropped EXE
PID:3896

C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{58D85904-F430-43FB-AFC5-38B215E65372}
3⤵
- Executes dropped EXE
PID:6100

C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{24E4FC58-4B14-441D-9321-0D2269ACB26A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{67497DBE-A31F-4D82-9E17-C81A32C810E9}
3⤵
- Executes dropped EXE
PID:4124

C:\Users\Admin\AppData\Local\Temp\{CC376B82-356C-4C15-AC6A-3895C182965D}\VC_redist.x64.exe
VC_redist.x64.exe /clone_wait /q
3⤵
- Executes dropped EXE
PID:5124

C:\Windows\Temp\{7060C219-BCD6-48BE-B08F-F6C1519344CF}\.cr\VC_redist.x64.exe
"C:\Windows\Temp\{7060C219-BCD6-48BE-B08F-F6C1519344CF}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\{CC376B82-356C-4C15-AC6A-3895C182965D}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=516 /clone_wait /q
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5140

C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A123CF89-2163-4F07-87FA-A874A85091FB}
3⤵
- Executes dropped EXE
PID:5524

C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A305C219-A3D4-49C1-A74E-F8BBD1EEBB26}
3⤵
- Executes dropped EXE
PID:2456

C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{011AFA64-DBBB-40D1-BD79-3A65FFCC28F0}
3⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8837D855-E687-4295-B104-2672CDF1BDF3}
3⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AA1C2789-EDEF-420B-9EA3-BC93F0E4FD63}
3⤵
PID:5736

C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6796F776-B657-4F31-88CC-59A53D9BF821}
3⤵
PID:5760

C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9F35C67F-B13F-44A3-B6FB-A4573A7E1173}
3⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B4989CAD-98E3-4574-85B0-A7D1ADDEA66C}
3⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{22CAB6A8-FD1B-4E75-A1D7-98B62F08F6EA}
3⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7B036F21-8AFE-45EB-9FF2-AA4D2509A26C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{22CA1EF1-3667-40E9-A2A1-F49AC3A2136E}
3⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\{CC376B82-356C-4C15-AC6A-3895C182965D}\npcap-1.72-oem.exe
npcap-1.72-oem.exe /S /winpcap_mode=no
3⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
PID:6028

C:\Users\Admin\AppData\Local\Temp\nsn8B55.tmp\NPFInstall.exe
"C:\Users\Admin\AppData\Local\Temp\nsn8B55.tmp\NPFInstall.exe" -n -check_dll
4⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:5932

C:\Windows\SysWOW64\certutil.exe
certutil -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsn8B55.tmp\roots.p7b"
4⤵
- Manipulates Digital Signatures
- Modifies data under HKEY_USERS
PID:5748

C:\Windows\SysWOW64\certutil.exe
certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nsn8B55.tmp\signing.p7b"
4⤵
- Manipulates Digital Signatures
PID:5776

C:\Program Files\Npcap\NPFInstall.exe
"C:\Program Files\Npcap\NPFInstall.exe" -n -c
4⤵
- Drops file in Program Files directory
PID:5904

C:\Windows\SYSTEM32\pnputil.exe
pnputil.exe -e
5⤵
PID:5984

C:\Program Files\Npcap\NPFInstall.exe
"C:\Program Files\Npcap\NPFInstall.exe" -n -iw
4⤵
- Drops file in Program Files directory
PID:6076

C:\Program Files\Npcap\NPFInstall.exe
"C:\Program Files\Npcap\NPFInstall.exe" -n -i
4⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2AC7B7FA-FEF1-4A4F-9E47-62B7E208568B}
3⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7534716E-70B4-4DBB-99A1-575FC97507A5}
3⤵
PID:6104

C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0C4B3EC4-AC4E-4F9E-9CD4-9DEF8E4B8EEA}
3⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7A1EEF33-B254-4AEA-BD4C-8C58CF0F59A2}
3⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F544D987-EA31-443E-AD4B-9A7185B573CA}
3⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6CAB1993-B91E-4B71-A813-C26F636B6647}
3⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CABD1390-B691-4C0B-8D50-F550F849D132}
3⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A2FEE49B-3B5F-4B8A-B547-2C6CE6685F7E}
3⤵
PID:5748

C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D1DCE759-1B3A-4638-8F39-3B8A5D6DAFAF}
3⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{7439B29D-FA31-4EC9-A828-142117AE1E8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{258D4184-AEF0-430E-B184-53BFAC227016}
3⤵
PID:5872

C:\Program Files\Tenable\Nessus\nessuscli.exe
"C:\Program Files\Tenable\Nessus\nessuscli" install "C:\ProgramData\Tenable\Nessus\nessus\plugins-core.tar.gz"
3⤵
- Loads dropped DLL
PID:656

C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8E4B2524-356E-44F1-86CB-2CBE78AAC085}
3⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{25D218CF-EE9A-4EF9-A3B0-507ABE4654B5}
3⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{026B4C2A-0524-4977-81AD-D6F7912B50D9}
3⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DA723F2F-A242-4E34-B8F6-8C7F1F021B12}
3⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{718C38CD-3044-4896-A27A-DFD9BA7AD9D7}
3⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{515FE4B0-DC22-4DA5-8306-4993BEBF9852}
3⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BB597195-C1C6-45F9-A669-7C2107EBB330}
3⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A497DB00-AC73-411A-BB9A-BADCF60F9B7C}
3⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E0B15992-81D2-4995-B87F-D3D6D084AA88}
3⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{827BC807-A385-4D38-8C4F-2E2D564FDE7C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{654B6C66-DAA1-4C5D-8A4E-E6135E10E174}
3⤵
PID:5864

C:\Program Files\Tenable\Nessus\openssl.exe
"C:\Program Files\Tenable\Nessus\openssl.exe" fipsinstall -out "C:\ProgramData\Tenable\Nessus\conf\fipsmodule.cnf" -module "C:\Program Files\Tenable\Nessus\fips.dll"
3⤵
- Loads dropped DLL
PID:5724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9ea62ab58,0x7ff9ea62ab68,0x7ff9ea62ab78
2⤵
PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:2
2⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:8
2⤵
PID:3400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:8
2⤵
PID:3132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:1
2⤵
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:1
2⤵
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:1
2⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:8
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:8
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:8
2⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:8
2⤵
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:8
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1964,i,15819242118038573841,8799335676678654413,131072 /prefetch:8
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5272

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files\Npcap\NPCAP.inf" "9" "405306be3" "0000000000000154" "WinSta0\Default" "00000000000000BC" "208" "C:\Program Files\Npcap"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1796

C:\Program Files\Tenable\Nessus\nessus-service.exe
"C:\Program Files\Tenable\Nessus\nessus-service.exe"
1⤵
PID:4696

C:\Program Files\Tenable\Nessus\nessusd.exe
nessusd.exe
2⤵
- Loads dropped DLL
PID:5684

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
"java" -version
3⤵
PID:220

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
4⤵
- Modifies file permissions
PID:5760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5851b6.rbs

Filesize
23KB

MD5
2e2beb99fb5cb47481abfebd1f8c0df4

SHA1
506ceb8eeb3b96fb9d5115c195102926699ce97e

SHA256
4e868c405cfe5be39d277127d527f43282639adc84babc40ce2982ec6bd54149

SHA512
0e973e63a38eb2ec3311713dda4532f20028cfad027443ffed25379cd1d393529c931a5d55f68e4371cb927da54c43e43c4584150c4d26e15c9c9bdfe035490c

Download Submit
C:\Program Files\Npcap\NPFInstall.exe

Filesize
301KB

MD5
69a2863281739e40702e40fde07ef72d

SHA1
8cf737fb5845a45445483cb1fae533c5a61da028

SHA256
5c2e569db9c5a978004b8fbf04ed372071ad998d759a12e5aaba470df158889e

SHA512
2315a4aa52f579a3633bd9c61c293b9fa78725d8331deee6ca24db70fb2565f431fc0f7f1ee84881b2e34b778ffc91c45e1b694ae517cdd266b0875e7089f178

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
1KB

MD5
c1d4ea64667d6ca6a1d51657cfcb89e9

SHA1
2be868cd263796ce00a4eff3e87c51ac9e827f78

SHA256
6bd15b0f4c6fd5da33da91d76d16f3148e9f9328632947cc9e52a88ff406ab33

SHA512
2de8855a99efaa9c634b18a776034eec7c7afa6f77de530cf9aeae9321bca8ef14bb53de02a24bbe3e8a981f536a1b788211d24635a68e33fbfd46675f67bebb

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
77025dc2d147eb9ab6ce0252790f932a

SHA1
a507ac9390afb8534c5247dd46d18993f6a79715

SHA256
d4a51a046923431cda3dbbbf884e546204c294c2b13c71db0edefdd735532389

SHA512
7e5191766178d9699c15bd507b53e8b9bf817bc54690a9c99319e37a2fbe2f5337044939489b27d579cfe0e46e64c3fdc4dddf5aeccc9d44611e6278755f4e9f

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
20ad68a713e00f3a27e94479f030185f

SHA1
95869de238c5c74825811988fefc00fa5f60df95

SHA256
c9d61f3a6d470c25d433546544a73582b815aa840e9b2f696a041046572769b8

SHA512
97b78f976d9783679b90fecf9974b227f79f41e37e6a682e7ea9b72c2151e528279b05f33f2f23c297cfdd5fd8ef9e8fe53cb5f7a8cb3b827339c665b322d160

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
6KB

MD5
d441253067cca24217a761902db3af9c

SHA1
885f233714f61b5854cfb011a61ff8fbc674be82

SHA256
517cbb6c1db6296460b5c16210532288c20cbf5b7edcc44207bd6d82cd7b89c7

SHA512
92fc532da4700b52f983cc0024434e2ef25af70bc5d480f1c09291419d14b5ee97f7f07779c059c2c1257b1044227998d7d68b9486a856c63ac7641036ef0a8a

Download Submit
C:\ProgramData\Tenable\Nessus\conf\nessus-fetch.db

Filesize
4KB

MD5
06935bafaa972ee5aa7bbefbb8b06776

SHA1
6c21ce9b11107ec2e384ad62e0981b2505833306

SHA256
5de803124b5dbaf218494d3f370ffe8403118f54c212c44a04002197557a4965

SHA512
25bab244c2641b977c4518fa6de6698bd0ec859a93aea037caf9165c7d6f7ffc910754b2d1529ce167ebbddfe8474bfe0909b54983bb7f9e8c47e54201154cdf

Download Submit
C:\ProgramData\Tenable\Nessus\conf\nessusd.db

Filesize
6KB

MD5
3d91a6d80c83ec89fae640366c672921

SHA1
45d1fe44bb09b10f6e339f381bce12ab0fe0fa1b

SHA256
6fc78502ac32564f673282923fa7257e859803d827fbdba91ffc48c1d6d30bce

SHA512
9fe5b52d341dbc370304425b75f436ebc46c72c24978f85ccd8ab9d89bca6bdc9f8513302576da2245becb289feed847be9b5cad042d67c033fae16c55c6beea

Download Submit
C:\ProgramData\Tenable\Nessus\conf\nessusd.db

Filesize
10KB

MD5
4d4c28470e75ad36a60b5e8fac9ab1d9

SHA1
2edbce76113d9605abe8a439d78a7a5261313395

SHA256
dbee59e78f384c653577a83c438f4679b1bacbe0810df3738963088c65b6b9ac

SHA512
a61ee8cce6c26d599d6189d0ad6400cade22655874353fccaf3cd17b244ae7ea7165e3c471921db94b4b6e558ee2ea80ecac22c989cac989fc1e46c6fbcdbfab

Download Submit
C:\ProgramData\Tenable\Nessus\conf\nessusd.rules

Filesize
865B

MD5
e90030543cc6e5fbc1b4c1f958dc5f4b

SHA1
d87ebe54bb89358c71540f5304760484ee3625b8

SHA256
6103c47c4daf11b862c591d399d663aa71f72768004e6f4a26b33cc499f6a212

SHA512
64be069116095d64fd79a21867b6ce9b626d70307ad644a6d8405e8431d821ce7a9dd150b4a93de944f7eab1e5ac121ca6e279bb52f914818bc8f9051391fa99

Download Submit
C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem

Filesize
1KB

MD5
f5df3a72ecef3e78c4401e2ec70576f3

SHA1
a9b342796f422a3f8a80215462b2dd8728e29b39

SHA256
86e79a6f6eb72d991aa02cdae9a766ec7d294bd666c334e39e010cbf02e2edee

SHA512
eb7c2218c2bc2ca29b6065b986a928d47afa408875507c5c983f45df94b343b5c66c6022f6ffbddf43d6cfdf771e5ff6c228db333d33b123296004d8d6ce5c2d

Download Submit
C:\ProgramData\Tenable\Nessus\nessus\plugins-attributes.db

Filesize
97KB

MD5
4a7391e35fe81673910cc40738394bb9

SHA1
b583336c49a769476d90eeaaf4a07e5e74b840f8

SHA256
6b4669fedc88b594a04b5690277b383b16e3f992c927722bd3fb874b9542d3ec

SHA512
0c375f73e0e16734a27bf4ee07988e548b3eb2adf9ac2dae2da0edf069dc4bd11a5beb6a78e409305c3777c05e3e7027a01fa7ccb438918b0feea76b67da90dc

Download Submit
C:\ProgramData\Tenable\Nessus\nessus\plugins-lib.db

Filesize
20B

MD5
b5f9a0bc2e7cdcaf9d0353c19100f355

SHA1
c8d80a836fd811a5630543e8b36ab161ece015f2

SHA256
eaf8d5a3bb596988825c1718e323e6c34aef8433b4f7db833914028d9433dfe6

SHA512
95f4a9dc948352374b742382a447c2ae17ac7326e823247a4dc26e5b434855aee048e63ded696c143145facd76d33e350178a723a8dc5d1b2cb777702d206f14

Download Submit
C:\ProgramData\Tenable\Nessus\nessus\uuid

Filesize
52B

MD5
20b64919bd98275d105563cb7457df25

SHA1
af32996d0677cbda0d4871cbb53ce445bc3efe46

SHA256
ad39616a149ef1825297e5965f3e3f666ca95e8598f4fbd9d42de61fcfb1d267

SHA512
5a2b7f37c1912b7480f8e5217834af7f47b57275ef13dd1ed6999736707c3df737f3c75c9070161e9c8a345d68ba156b2d21d9ceb61a2f37a92a2afd0748820f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
a8cc22618e868e1ee10efdfa626e7721

SHA1
3ed13535d1494e2d7749769d341332dffaec6370

SHA256
246744cdc79a5585f68d95d6a98473ee12383c85471f6e4f7e0fcfcd655868f5

SHA512
18a3036d061558b11fee0d914904521d06970c3a9dd7fe65826b45f7037d463e538e40142647c9cd97c7a6c3346dc9745b80c35b48ab5c30df4fc73752ab5b94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_3D5C203DF8CC546BDF39F4259AAB626B

Filesize
727B

MD5
95cc1d0ac4875f96b60127688ecd6121

SHA1
743e887afc43bb7d6a9be5788cbf5e5e201b090f

SHA256
46db7662a09ececb2dc58b4098bfb4d671bb1e0b25819dccd1dcb97b6e39ecd9

SHA512
e5f736dc6eb51c405509972113bf6862447d50ed8fd872523de0c98e178a1881231e53fd470af74ef5b0cf25f2174be6b3a25e71cca077a4f91412d4edc4cb88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
a90ff749a13166b81da25cdcbc82c54d

SHA1
a09692688b0a86d9e06b6a3697d2a1793f367961

SHA256
4b1553fdbeca127a257bed3bd232cad24df64166cd39a54159893d5c350ac742

SHA512
54dfe43bb1c88eac7d29e641171a27f72270bea50d3d989217f3a739943f4a3d751689dab68319ed7e800986cac1c5053305252a5f92fe14f1566f425f7994b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
04964dab08793ae573993898eeb4b951

SHA1
5a1ddee77c654365604f4abd417298696278153e

SHA256
b18785ba8ed5c1e6a4d57a694528daa235c5586051fef0978d6aff4e125b13e0

SHA512
70fac1ef9b830c56c9571840d431dd3ce04066e0ebb541ec381ceb572d11977db22852985180034d6411327f832919849edda24c5f4c3c0a0d23d6b630f3a4d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_3D5C203DF8CC546BDF39F4259AAB626B

Filesize
404B

MD5
7189f98ea13ef69ec2b0fb254516aff3

SHA1
cea168b949dc2fb6122a951deb07cb7769263ce9

SHA256
fd4434693b5d4802299fb06644e4e1ce185fabbe8a70d01ae75f55033d3392c5

SHA512
999b066cbde0674d54d01d627ed08c714afee61dc06c0e1b59262f7f3b7db780321b5591dc1e9005b5d75319b2cc1d4ce4ac6ef132f3665f966bdcb28b6729dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
06b68b7f5012125631d63feae06f8d08

SHA1
23d8a868cc4dbbf63b1ccd30de59ff3a9f81b5ff

SHA256
9bc07742d4954225876ca7296a2a2cda56b93cdfc09b1982b880ed7954654573

SHA512
8ee40df3ff598e6a51bf60410235bdb8443f30265b0f36c2ed6ddd3035431e3e700434d9afe219ac3984691c04b2a0c77b7de12369285b64e711861ad4833249

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9aece98e8d3fc1dfa723f192ea0bab7c

SHA1
86061209de40a0b60967bf4ecfa092a491e3c299

SHA256
18e427a0737314b1074290c30d205ca0345169f47afe704650f633c4dc6f7c61

SHA512
57c8c2b36bbd74426908c3ef923e4df03366fbe746349a661ac6331be727066144717b5b7cb5cc4545751f2ecc0fd3c8954db96cd883a64990ee5c556dd6007d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
c0ac19fdd1a3e7bc36efbf90d9677005

SHA1
1558055bf6dbcee4b6d948bb1c1fe8bb09ffc160

SHA256
9933f65acb1817cc631bee663b7fcb37e3bc75c1d8bb053671ce68097cf0cf74

SHA512
f5bd6506e4e8222a0e05e1ada26e6b8664e0b55f80e6e405a04cc042b26203a967b72b2ab4673bc8f361df6a7a2176f7be8551e60c44e74a932cacf26a5cf6ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9fb57714538475d64a5b847001fb94a8

SHA1
29d65ee24c73d244d796b19277933b5d055e7ab7

SHA256
28e2c2ef8a87db804dc5c7e7a345facf2061aa80bf46c3c74c65d5eef1c6aa89

SHA512
9d978ee1c4a307df1130051da3d9da147d4e370820c162909602ed512542a8995de2f7e9a925b3c45f632de39e99f8ae37f068451dbcb5b91cda513bf86f84ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
bd9572f74e6b191e0a0fb9592cea6fed

SHA1
6d781a0a84f9ef7fd8632398c036831abf5b6497

SHA256
768e5e447e5b1349e7f22c7aa15d4cfb43f80898d0cbf3bc214b96c5c97b1733

SHA512
1d3c618dc84fdc8602e32a29e2afab7167914568e834c6b4a4099f0ad6781ad6bc999d2082586cd4b9e30ef62144342ab70d2cf3c175e9cb1abda0b60f113737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
723d38ddb7158b3ebd72d7a7682a1dc6

SHA1
08513f21406e8489a141a40d629c1df9f17a1f61

SHA256
ebd9022b29030d84fa3cd3a139bbd2bab55702e0143e5e224f5fe4f43e514dd8

SHA512
b9d10fd2f9c4a26216e155e9807e6cecee09d233ba363e73f254d161ab83381df0daa7b62266c5cdec7f99849122de1e0602fc0daf0af93cfecb878e5d97ec71

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI65EE.tmp

Filesize
172KB

MD5
3adf5ffea5480feb3da22d4a9c69d935

SHA1
caa0b5949640819e8ae31ba3d73fd7dfc8bbf729

SHA256
696e9461fe02534348e9828defd7d70c8701f4e7942fc3c75df4704d83af965e

SHA512
a560bf16a7352251ee926d3329d1ae104f8d1130581d63db96406a1416554c2b9e5d95972c43e572936c26329eb3a2dde3632ca0b4734cadefdce383d0f8d35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI687F.tmp

Filesize
2.5MB

MD5
4c488f45d6fc8de14ff28ba55cc7ca9d

SHA1
2ee5600b71ac4b7fcd02d9ac2e51da198393b0a6

SHA256
b654c4f8aaa7ad37878d396bc9696d2227073daf9028aeeee58dd79c92d9c7c7

SHA512
752103524c6e471b9bc3e93d391387ea73ad83fde25cc897568cef65eb985ff25a1bf9c39a44dc3a5483e128119cb63bc02e11ca7f65e8ecdbc258956564b5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6C68.tmp

Filesize
166KB

MD5
194cab4d006db89a40f4c8f9fe1b935f

SHA1
6345237143dc2048b1aa9f9dbf4d908c3b42009e

SHA256
a1ac894bec5ec2dee5bc48f00cae790ad7831a4f8de4d0c43351f55a329060cd

SHA512
a6baa8fcfe399c4c06f74ca573ed42a9a3265c4944438da3b0aa70b31c6186c7892f6a2c942914d9f50e14cbccd46f7dd70b3dbe9387f457ca178972600f51e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kzkfag0x.ejk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8B55.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8B55.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISBEW64.exe

Filesize
178KB

MD5
520dbbef2ae1d465fe355944812d0c6c

SHA1
71a6beb8603c54668c53534f9b3eedeace8daed4

SHA256
7edc950ecfbbb043a62f31f01be2710892bb34455dd7ea435ce1346873d3f36f

SHA512
4aa0f0166b938997858510fbae4a2d4318d298f71bb8d01d54a950966b3b96a22035551edaa6fdcdeb37c190676f95752bca572f123ca9b922293e89d69361f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\ISRT.dll

Filesize
426KB

MD5
7b0ace4aa7c0204c93f7e6393252a2dc

SHA1
1242fa45be59a54b75085c56acb1d2e171a38b74

SHA256
eb63a17e4ac3ee76a496a97e7686e2980733ab4e6bd81991cf513c3175a05822

SHA512
b1c7722f5e9dbffa8309b4ee67054b6b30c9b0217f298cf2eccbdd707e84dd00c8cac2ecf5d3704f9dec6f4b5c46034787ee95acaf997709ad4aae8c7b511232

Download Submit
C:\Users\Admin\AppData\Local\Temp\{25EBE25A-731E-49EB-9971-AEC1D020A942}\_isres_0x0409.dll

Filesize
1.8MB

MD5
83b69b0e6dfe95b586d8a70e1ff029c8

SHA1
9c0f6d8095c8113eaa9f69e6ac43f56780919ad6

SHA256
f96f3dfa3f735eba58c0e50597ff7922c30129a2bea74ccf6ce94d903a5d8330

SHA512
cddb016cd4fc90d78a38766dd78d0fdad09d5f487ad22c04809af9a2ec6cdeb5dd0545b5d898e46ca5a0ac58e796a59550a441d66114f1734ee982d60379e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\IsConfig.ini

Filesize
538B

MD5
6daeff71b8a48b4b5663b35989af7265

SHA1
53c9e7ffb19c574e9ce7761f737f2ec036a275ee

SHA256
88a0073bf456c0cfc498dafed7f6bebc7aa38f33bf1254433c7f8a230b2e6f1f

SHA512
bd632cbfd7cbf1bc9d9abd4eba1491544249eb155cfeb9380e18ce1a5893e977ee7d1ce6b1a3b79dd570b6dfac57aef62142b01a43a591756e1d4561b44174ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\String1033.txt

Filesize
183KB

MD5
25a6c19668d70acdd1114a2768772316

SHA1
db6fd1c0a16acaad9abf97e9c0306416fbeccea1

SHA256
a350e03619ccfb2cdbeabf3461fc03cc75395de41e2c9699ad7ca9b7b3f8bc3d

SHA512
7eb21e3b4136aab29f412a2fd1e449d7a24c375d018efddb7b2c6d419de6b998fb5959a83f183edd32417ea6252583af77b0d28a33dd62c9d463feb003619cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C76BACA8-BB3D-4365-B4A9-7569F2D5677D}\setup.inx

Filesize
281KB

MD5
d52d02ee55e2ae93e6b53beb16e7a28f

SHA1
0f13d4512203851847a3d09db2805b9e55b876d0

SHA256
8368a2a8261260f76c2d9332e91588a836dc5754d6a048eaabb3a016f9e7d65e

SHA512
0d42748c1107e9eaa590b086557edfd7e38294e82cb26cb930bf9d3fcf0a14d26500c467d5c833577c73c59c2aef9c1e975f70ee0fef8ecdd8ae3b0df215b87a

Download Submit
C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\NPCAP.inf

Filesize
8KB

MD5
04c7944e5a04629fc393cadf44293136

SHA1
6d292051319573e4315c9e2988f53501793c57dc

SHA256
6b9273ab4333e5ec67fd4ff044c43916dfc6939bfefadc911f5c5a2dfae2db65

SHA512
2070fde243093f7f2d970cf9af876fbc829e72c43c929d03db5ac617d8c2d6d007e767cbe0f56563b7acb8b507bb7cb1f6cbb85d77c3a686fc0d1cdd3bddae88

Download Submit
C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\npcap.cat

Filesize
12KB

MD5
3fd9a520f8b768eee9ee35eedec6bf3d

SHA1
302f9b44e602c00f309cef47e0657148b8b0a741

SHA256
612f6989db53adf27aa9e53f9c6ff7061012a529853849019f0cb6da5ab67d8e

SHA512
4ef544970857028641da7c5d59a2feb28a5eded8d3b37f6e7b43b0a036d83b27bb2d8b49f9ed9b73a89ce70f310efda2e49220306a982d8893177740d0b3d6c9

Download Submit
C:\Windows\System32\DriverStore\Temp\{9e9605a7-066f-874a-9836-574c5692708c}\npcap.sys

Filesize
75KB

MD5
c41047f5dc12cb06027b8c9180ba50ec

SHA1
b3990659a5d926bebbd3677123bf5150700d521c

SHA256
34d8eb66ba1bb1bc4a0f342d6346868e1d6049d19034a4ce9c6e98f0c1ecfc99

SHA512
962e8c728f9269ddcf3547cb8d78a1d893e64e6ccc75191ca718500e1a5ae3b58530721f8703ccd6a8e0db316a09b0f99fc03ca79acd16f1082c63f46b159b3a

Download Submit
C:\Windows\Temp\{69F287F8-8C65-4DC4-AB8A-9A8A0EBE86EB}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
\??\pipe\crashpad_4828_OJTOEILYIZJRHHWA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-1181-0x000002E2D7240000-0x000002E2D7241000-memory.dmp

Filesize
4KB

Download
memory/392-171-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/392-176-0x0000000003310000-0x00000000034D7000-memory.dmp

Filesize
1.8MB

Download
memory/392-264-0x0000000003750000-0x0000000003917000-memory.dmp

Filesize
1.8MB

Download
memory/392-261-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/392-231-0x0000000003350000-0x0000000003517000-memory.dmp

Filesize
1.8MB

Download
memory/392-227-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/472-46-0x00000000036D0000-0x0000000003897000-memory.dmp

Filesize
1.8MB

Download
memory/472-39-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/1220-892-0x0000000007640000-0x0000000007672000-memory.dmp

Filesize
200KB

Download
memory/4276-937-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/4276-1030-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/4276-295-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/4276-298-0x00000000030E0000-0x00000000032A7000-memory.dmp

Filesize
1.8MB

Download
memory/4276-380-0x0000000003120000-0x00000000032E7000-memory.dmp

Filesize
1.8MB

Download
memory/4276-378-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/4276-488-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/4276-858-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/5988-861-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/5988-873-0x0000000005B00000-0x0000000005B4C000-memory.dmp

Filesize
304KB

Download
memory/5988-860-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/5988-859-0x0000000004C00000-0x0000000004C22000-memory.dmp

Filesize
136KB

Download
memory/5988-871-0x00000000054F0000-0x0000000005844000-memory.dmp

Filesize
3.3MB

Download
memory/5988-857-0x0000000004C70000-0x0000000005298000-memory.dmp

Filesize
6.2MB

Download
memory/5988-856-0x0000000004510000-0x0000000004546000-memory.dmp

Filesize
216KB

Download
memory/5988-872-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

Filesize
120KB

Download
memory/5988-877-0x0000000007080000-0x0000000007624000-memory.dmp

Filesize
5.6MB

Download
memory/5988-876-0x0000000005F40000-0x0000000005F62000-memory.dmp

Filesize
136KB

Download
memory/5988-875-0x0000000005ED0000-0x0000000005EEA000-memory.dmp

Filesize
104KB

Download
memory/5988-874-0x0000000005FB0000-0x0000000006046000-memory.dmp

Filesize
600KB

Download