eternity | d44006982388af1f774550e394ebc9a613bbccd2e0dbedfdac871fee1872ad96

Windows Service

Disable or Modify Tools

T1562.001

Processes:

Growtoken.exeGrowtoken.exeGrowtoken.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Growtoken.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Growtoken.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Growtoken.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Growtoken.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Growtoken.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Growtoken.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Growtoken.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Growtoken.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Growtoken.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Growtoken.exe

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
7416	powershell.exe
5084	powershell.exe
4504	powershell.exe
1248	powershell.exe
5936	powershell.exe
5520	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

NPFInstall.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETA417.tmp	NPFInstall.exe
File created	C:\Windows\system32\DRIVERS\SETA417.tmp	NPFInstall.exe
File opened for modification	C:\Windows\system32\DRIVERS\npcap.sys	NPFInstall.exe

Manipulates Digital Signatures 1 TTPs 8 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.execertutil.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3\Blob = 030000000100000014000000e1d782a8e191beef6bca1691b5aab494a6249bf3200000000100000002050000308204fe308203e6a00302010202100d424ae0be3a88ff604021ce1400f0dd300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e67204341301e170d3231303130313030303030305a170d3331303130363030303030305a3048310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3120301e0603550403131744696769436572742054696d657374616d70203230323130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2e6618467c58af50d08a445ca636b51d73a1142bd0a75754d94b40c50b52610fe1dc86f916b0c96e71a5c48ef44e5bf9b61cd1591625ab8ff670b9c63fd366a81fa29f8dd2b7085de0218f3786dbc7df9c76d093dbe6a7687e98abdf8845d1e76c9e4c676763a53d1d1d35a368fc6a3e12f1b3ab761d673ec4e6d338a7c5d452d4bb150e6413a375686dc93238df75025e864e6ddd38f2f57b58720eb0e8e2cd523daf44d7846e3038331294a5c0c318a4a8c88c5f7305af914af155f6c434909fd262353f68d63e81aab5bb11d30c29b6982b4dbfc5654bc1fa187abbe7a5b0a202f4b09c995a78db2fad6638b4ea5721cee9f7a0173f819d6fe0d4984bd010203010001a38201b8308201b4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830410603551d20043a3038303606096086480186fd6c07013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053301f0603551d23041830168014f4b6e1201dfe29aed2e461a5b2a225b2c817356e301d0603551d0e041604143644868ea4bab066bebc282d1d4436dde36a7abc30710603551d1f046a30683032a030a02e862c687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c3032a030a02e862c687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c30818506082b0601050507010104793077302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304f06082b060105050730028643687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572745348413241737375726564494454696d657374616d70696e6743412e637274300d06092a864886f70d01010b05000382010100481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C0D087ECDCC76D1084ABE00F1FEE5040400AE37\Blob = 0300000001000000140000003c0d087ecdcc76d1084abe00f1fee5040400ae372000000001000000c6050000308205c2308204aaa00302010202100aa60783ebb5076ebc2d12da9b04c290300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3231303530353030303030305a170d3234303631303233353935395a3081d2311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a6ec814ee2c7075e2e29ac7ebd10b6188055929370a213b83fb6e337d82ed0756d15e267f6bc645e6db5bb1d586ef1098ead1595147d03897af04b666aa5a50def2b3af23974896c6fb4f5246baf3ec374dbfd90eeec7575ffb11a6efea7a0d7da0adb04eaf000b1ad520d9e9529b2a8cf420998d4c7a46c1f95e405e35f69ad8c05d62df0f9745017a6284134afba26f905d900da1c412200e6ca5c6b148f3f785aa0ebe35ea9160644bd6924b54625eb404ab39db981f6b216b6dd960930a1443b26aab08cdbcf1c5fd74dbb56c3e9df791f8429401dee5869e90c39f95000fc616b5ac8396b588e24407235ea074328c608112f6cb4f07347cd4d28d28ab90203010001a38201f7308201f3301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e04160414c5b210483c7598f90d32838cd0763d3cd85fef5130350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304a0603551d2004433041303606096086480186fd6c03023029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008b2182887ada0e08e4afe89019ded16e88ff6ff1b12fd9b2994b945b8c76c63862ae35a1751672c474c8575a039250105e346bb7ce7ae1f2494e760de418b9453f1bbac9255b0dccafd296adb3cdb49d46d54c3413bfc34a3e640e244da7b1e1dbd1b04cea414ff64fe57f0ef28944a42e41065548e4834f2b05d4aae8516a1f154c5b09af25fe059a69a7dc75a7deb4cf3068c402614ece0509edf02b0968b5c8d1081cdafcfba3b7c1599256e6685ef7391f46746eaf829bc8fd40f55be70a3fc51142648b78a903e750158328cb80d54aaddce82df8fe983b0e36af4dafbdbdffe8896bee9a93c370e77f735fe9c42fc2259a3e5672e9f75f37ecf7104e53	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9\Blob = 0300000001000000140000004ce89794fe2d2f7e30121f10bcf76ac3ccf77ca92000000001000000c7050000308205c3308204aba003020102021009256314069e7e6a88cb823075c0d9c9300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3230303530313030303030305a170d3231303530373132303030305a3081d231133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a88cd713346c50a5cd2a62900419f091330f9820b73b38785a8b5a25ceda8e11b71b2d11ff4b0c18cad405a2a195a6462619fa3ddf6d14466a350d1cf1c6ad48cce166fe6011a62ee62751046dd264b1cc145c4a4354537cec1ae615b6b8566a28ddf3b510fee92023dbe4190b44bb4174f94c4ec62256bd4aa5ba541ee833388db8cc411365e094ee6314eaff59ca6659bb6388300e7ffbd0f8b299889b8e3ea526f8ca926ded79eac89a6b068757ae428022e2602ec98babf5998216b0c28a709129a1300872878d9971e3130826a7d1ce894fe649a017003f07ee3c53ca0cba998fab097e573723fbd3e0ea1b742dd6d076b4c2284b93500021a7d27109630203010001a38201f8308201f4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604140a9c208099309acdddf9c9909a03890dcd30c8ea30350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010042368fc33025a2a1338cf35a08d00e263958f825e79b6d3af23e0e4e4cf59bc8502022d452cbba14a53274e3a12a5b01f4aee16abfcb1b28d63484a0ae1995c9759c6f0970254da8902fb479f5f7869a566aa285f2c28e50096dfd2e14a9ecf0000963c570d2338def108dfe66b1e44d22182826749871a7f3977eba4976910f1f0de866fc75b918c1a9f466fcf96ae90df932071b9c770f0f3193f8ca500abe52cc316549403a5ca5b5422d1ebffffc3cbe3b926de552f493b53c6570fdd0736550f080c2db204b03bc00ff724241581b5dfb0dff7b8f2cc28f136c19cca8bd4b3c3d81404e69f4598e7b5458e41c6f2e6622a212d28c2615565782a1f66987	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3\Blob = 03000000010000001400000060ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e32000000001000000c0060000308206bc308205a4a003020102021003f1b4e15f3a82f1149678b3d7d8475c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3132303431383132303030305a170d3237303431383132303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e672043412028534841322930820122300d06092a864886f70d01010105000382010f003082010a0282010100a753fa0fb2b513f164cf8480fcae8035d1b6d7c7a32cac1a2cacf184ac3a35123a9291ba57e4c4c9f32fa8483cb7d66edc9722ba517961af432f0db79bb44931ae44583ea4a196a7874f237ec36c652490553ea1ca237cc542e9c47a62459b7dde6374cb9e6325f8849a9aad454fae7d1fc813cb759bc9e1e18af80b0c98f4ca3ed045aa7a1ea558933634be2b2e2b315866b432109f9df052a1efe83ed376f2405adcfa6a3d1b4bad76b08c5cee36ba83ea30a84cdef10b2a584188ae0089ab03d11682202276eb5e54381262e1d27024dbed1f70d26409802de2b69dce1ff2bb21f36cdbd8b3197b8a509fefec360a5c9ab74ad308a03979fdddbf3d3a09250203010001a38203583082035430120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307f06082b0601050507010104733071302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304906082b06010505073002863d687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63727430818f0603551d1f0481873081843040a03ea03c863a687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c3040a03ea03c863a687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0302308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e301d0603551d0e041604148fe87ef06d326a000523c770976a3a90ff6bead4301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d01010b0500038201010019334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\Blob = 0300000001000000140000003ba63a6e4841355772debef9cdcf4d5af353a2972000000001000000350500003082053130820419a00302010202100aa125d6d6321b7e41e405da3697c215300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3136303130373132303030305a170d3331303130373132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd032ee4bcd8f7fdda9ba8299c539542857b6234ac40e07453351107dd0f97d4d687ee7b6a0f48db388e497bf63219098bf13bc57d3c3e17e08d66a140038f72e1e3beecca6f63259fe5f653fe09bebe34647061a557e0b277ec0a2f5a0e0de223f0eff7e95fbf3a3ba223e18ac11e4f099036d3b857c09d3ee5dc89a0b54e3a809716be0cf22100f75cf71724e0aaddf403a5cb751e1a17914c64d2423305dbcec3c606aac2f07ccfdf0ea47d988505efd666e56612729898451e682e74650fd942a2ca7e4753eba980f847f9f3114d6add5f264cb7b1e05d084197217f11706ef3dcdd64def0642fda2532a4f851dc41d3cafcfdaac10f5ddacace956ff930203010001a38201ce308201ca301d0603551d0e04160414f4b6e1201dfe29aed2e461a5b2a225b2c817356e301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f30120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070308307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c30500603551d20044930473038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c0701300d06092a864886f70d01010b05000382010100719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52	certutil.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
2892	netsh.exe
6048	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

FiddlerSetup.exevc_redist.x64.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	vc_redist.x64.exe

Drops startup file 9 IoCs

Processes:

Growtoken.exeGrowtoken.exetaskmgr.exeGrowtoken.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Growtoken.exe\:Zone.Identifier:$DATA	Growtoken.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Growtoken.exe\:Zone.Identifier:$DATA	Growtoken.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Growtoken.exe	Growtoken.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\growtoken.exe	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Growtoken.exe	Growtoken.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Growtoken.exe	Growtoken.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Growtoken.exe	Growtoken.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Growtoken.exe	Growtoken.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Growtoken.exe	Growtoken.exe

Executes dropped EXE 30 IoCs

Processes:

dcd.exeGrowtoken.exedcd.exeFiddlerSetup.5.0.20243.10853-latest.exeFiddlerSetup.exeSetupHelperFiddler.exeFiddler.exeFiddler.exeGrowtoken.exeFiddler.exeFiddler.exedcd.exeWireshark-4.2.5-x64.exevc_redist.x64.exevc_redist.x64.exeVC_redist.x64.exenpcap-1.78.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeNPFInstall.exeWireshark.exeetwdump.exeetwdump.exedumpcap.exedumpcap.exeetwdump.exedumpcap.exedumpcap.exe

pid	Process
2192	dcd.exe
4052	Growtoken.exe
5012	dcd.exe
3680	FiddlerSetup.5.0.20243.10853-latest.exe
4632	FiddlerSetup.exe
5160	SetupHelper
3640	Fiddler.exe
6004	Fiddler.exe
5168	Fiddler.exe
5312	Growtoken.exe
7628	Fiddler.exe
4388	Fiddler.exe
7272	dcd.exe
7508	Wireshark-4.2.5-x64.exe
6488	vc_redist.x64.exe
8072	vc_redist.x64.exe
7756	VC_redist.x64.exe
2860	npcap-1.78.exe
7952	NPFInstall.exe
5288	NPFInstall.exe
5052	NPFInstall.exe
2268	NPFInstall.exe
8072	Wireshark.exe
6864	etwdump.exe
7632	etwdump.exe
8136	dumpcap.exe
7616	dumpcap.exe
8184	etwdump.exe
1368	dumpcap.exe
8480	dumpcap.exe

Loads dropped DLL 64 IoCs

Processes:

FiddlerSetup.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeFiddler.exeFiddler.exeFiddler.exeGrowtoken.exeFiddler.exeFiddler.exepowershell.exeWireshark-4.2.5-x64.exevc_redist.x64.exeVC_redist.x64.exenpcap-1.78.exe

pid	Process
4632	FiddlerSetup.exe
620	mscorsvw.exe
6228	mscorsvw.exe
6368	mscorsvw.exe
4400	mscorsvw.exe
6572	mscorsvw.exe
6840	mscorsvw.exe
6572	mscorsvw.exe
5884	mscorsvw.exe
5884	mscorsvw.exe
5884	mscorsvw.exe
5884	mscorsvw.exe
5884	mscorsvw.exe
5884	mscorsvw.exe
6384	mscorsvw.exe
6784	mscorsvw.exe
7012	mscorsvw.exe
7012	mscorsvw.exe
5952	mscorsvw.exe
5952	mscorsvw.exe
7012	mscorsvw.exe
7012	mscorsvw.exe
3640	mscorsvw.exe
7088	mscorsvw.exe
5512	mscorsvw.exe
7012	mscorsvw.exe
7012	mscorsvw.exe
7012	mscorsvw.exe
7012	mscorsvw.exe
7012	mscorsvw.exe
3640	Fiddler.exe
3640	Fiddler.exe
6004	Fiddler.exe
6004	Fiddler.exe
5168	Fiddler.exe
5168	Fiddler.exe
5312	Growtoken.exe
7628	Fiddler.exe
7628	Fiddler.exe
4388	Fiddler.exe
4388	Fiddler.exe
8020	powershell.exe
7508	Wireshark-4.2.5-x64.exe
7508	Wireshark-4.2.5-x64.exe
7508	Wireshark-4.2.5-x64.exe
7508	Wireshark-4.2.5-x64.exe
7508	Wireshark-4.2.5-x64.exe
7508	Wireshark-4.2.5-x64.exe
7508	Wireshark-4.2.5-x64.exe
7508	Wireshark-4.2.5-x64.exe
8072	vc_redist.x64.exe
5528	VC_redist.x64.exe
2860	npcap-1.78.exe
2860	npcap-1.78.exe
2860	npcap-1.78.exe
2860	npcap-1.78.exe
2860	npcap-1.78.exe
2860	npcap-1.78.exe
2860	npcap-1.78.exe
2860	npcap-1.78.exe
2860	npcap-1.78.exe
2860	npcap-1.78.exe
2860	npcap-1.78.exe
2860	npcap-1.78.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

Growtoken.exeGrowtoken.exeGrowtoken.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Growtoken.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Growtoken.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Growtoken.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

VC_redist.x64.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exe

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in System32 directory 64 IoCs

Processes:

msiexec.exeDrvInst.exeNPFInstall.exenpcap-1.78.exe

description	ioc	Process
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_8bd33bba90c49bc9\npcap.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	NPFInstall.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_8bd33bba90c49bc9\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_8bd33bba90c49bc9\NPCAP.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.78.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.78.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{338f52b2-944d-8940-8617-383cea8108eb}\SETA1A7.tmp	DrvInst.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{338f52b2-944d-8940-8617-383cea8108eb}\NPCAP.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	NPFInstall.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.78.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{338f52b2-944d-8940-8617-383cea8108eb}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{338f52b2-944d-8940-8617-383cea8108eb}\npcap.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{338f52b2-944d-8940-8617-383cea8108eb}\SETA1A8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{338f52b2-944d-8940-8617-383cea8108eb}\npcap.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	NPFInstall.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.78.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	NPFInstall.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{338f52b2-944d-8940-8617-383cea8108eb}\SETA1A7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	NPFInstall.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.78.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	NPFInstall.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{338f52b2-944d-8940-8617-383cea8108eb}\SETA1A6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{338f52b2-944d-8940-8617-383cea8108eb}\SETA1A6.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

Processes:

Wireshark-4.2.5-x64.exenpcap-1.78.exe

description	ioc	Process
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-stats-conversations.png	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\capinfos.exe	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.ericsson	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\[email protected]	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChUseAnalyzeMenuSection.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-asap-statistics.png	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\libbcg729.dll	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.manzara	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\translations\wireshark_pl.qm	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-find-packet.png	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-mate-mmse_over_http.png	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\libspeexdsp.dll	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChUseStartSection.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChTelLTE.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChAdvExpert.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\plugins\4.2\codecs\g711.dll	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\FDDI-SMT73-MIB	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\toolbar\x-capture-file-save.png	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.fdxtended	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\plugins\4.2\wiretap\usbdump.dll	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\TED-MIB	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\LOAD-BALANCING-PIB	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChCapLinkLayerHeader.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChStatANCP.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\PreAck.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-statistics-menu.png	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\profiles\No Reassembly\preferences	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\dtds\xcap-error.dtd	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Npcap\npcap.cat	npcap-1.78.exe
File created	C:\Program Files\Wireshark\snmp\mibs\IANA-ITU-ALARM-TC-MIB	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\DS0BUNDLE-MIB	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\ietf-snmp-engine.yang	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.broadsoft	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\translations\wireshark_zh_CN.qm	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\translations\wireshark_ru.qm	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.roaringpenguin	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\LMP-MIB	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChStatTCPStreamGraphs.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\Preface.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-mate-gop_analysis.png	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\diameter\sunping.xml	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\plugins\4.2\epan\wimax.dll	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\SNMPv2-TM	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChTelSIPStatistics.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.rfc5580	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.livingston	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\translations\wireshark_fr.qm	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\DLSW-MIB	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\TN3270E-RT-MIB	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\[email protected]	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChAdvChecksums.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.compat	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.shasta	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\EtherLike-MIB	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\README.windows.txt	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-tools-menu.png	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChapterIntroduction.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\SNMP-COMMUNITY-MIB	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\TUBS-SMI	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\ietf-snmp-usm.yang	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChBuildInstallUnixInstallBins.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChUseToolsMenuSection.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChapterCapture.html	Wireshark-4.2.5-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-tel-rtpstream-analysis_1.png	Wireshark-4.2.5-x64.exe

Drops file in Windows directory 57 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemsiexec.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeNPFInstall.exemscorsvw.exeDrvInst.exemscorsvw.exesvchost.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b64-0\System.Web.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\26c-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b64-0\System.Design.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e66431e.msi	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1854-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\18e0-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\a4659c51384187894a071aa2b9d900e7\System.EnterpriseServices.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bb0-0\System.Runtime.Caching.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.82d5542b#\3248866fdc0058e6a1a5d64c5019ee84\System.Web.RegularExpressions.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\CWX4B0RB3J\System.Web.RegularExpressions.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\7UABSFUJI2\System.Web.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI46E3.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D5D19E2F-7189-42FE-8103-92CD1FA457C2}	msiexec.exe
File created	C:\Windows\INF\oem3.PNF	NPFInstall.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e38-0\System.EnterpriseServices.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt19c51595#\6f69c2900b13ef16144a4dd218db8baf\System.Runtime.Caching.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\OJJP88AY78\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\Installer\e664333.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\assembly\temp\CWX4B0RB3J\System.Web.RegularExpressions.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\78XIAMXEEV\System.EnterpriseServices.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\78XIAMXEEV\System.EnterpriseServices.Wrapper.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI4F33.tmp	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\48284cc851a179c6096f5a08fd1c8eb1\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\7UABSFUJI2\System.Web.ni.dll	mscorsvw.exe
File created	C:\Windows\Installer\e66430b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e66431e.msi	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\Installer\SourceHash{0025DD72-A959-45B5-A0A3-7EFEB15A8050}	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\19ac-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1588-0\System.Web.RegularExpressions.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\B16KTZW8GN\System.Runtime.Caching.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\78XIAMXEEV\System.EnterpriseServices.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI4D0F.tmp	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e38-0\System.EnterpriseServices.Wrapper.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\B16KTZW8GN\System.Runtime.Caching.ni.dll	mscorsvw.exe
File created	C:\Windows\Installer\e66431d.msi	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\OJJP88AY78\Microsoft.JScript.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\Installer\MSI48D8.tmp	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1130-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ab8-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1a80-0\Microsoft.JScript.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Design\27f97b5687f7139425a49f9cbafaf6e2\System.Design.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Installer\e66430b.msi	msiexec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 46 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

NPFInstall.exevssvc.exeDrvInst.exesvchost.exetaskmgr.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe

Checks processor information in registry 2 TTPs 41 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

dumpcap.exedumpcap.exefirefox.exeWireshark.exedumpcap.exedumpcap.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Wireshark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Wireshark.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dumpcap.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Wireshark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dumpcap.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Wireshark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Wireshark.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dumpcap.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Wireshark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Wireshark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dumpcap.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	dumpcap.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exechrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

Processes:

FiddlerSetup.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe

Modifies data under HKEY_USERS 61 IoCs

Processes:

DrvInst.exechrome.exemsiexec.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615315363228750"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeWireshark-4.2.5-x64.exeFiddlerSetup.exeVC_redist.x64.exeVC_redist.x64.exe

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.acp	Wireshark-4.2.5-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mplog	Wireshark-4.2.5-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.snoop	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wpc\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Version = "237272852"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\PackageCode = "1BE5B2DDE80EDC54D874D240756DB43A"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open\command	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\DefaultIcon\ = "\"C:\\Program Files\\Wireshark\\Wireshark.exe\",1"	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.enc	Wireshark-4.2.5-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.syc	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.trc\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file	Wireshark-4.2.5-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lcap	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pklg\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.snoop\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wpc	Wireshark-4.2.5-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.36.32532"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\VC_Runtime_Additional	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{D5D19E2F-7189-42FE-8103-92CD1FA457C2}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.5vw	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.enc\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rf5\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tr1	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.trace\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.erf\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pcap\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pkt\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.trace	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\ = "{8bdfe669-9705-4184-9368-db9ce581e0e7}"	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.out\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\Servicing_Key	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.cap	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pcapng\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pklg	Wireshark-4.2.5-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.5vw\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wpz\ = "wireshark-capture-file"	Wireshark-4.2.5-x64.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\Growtoken.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\FiddlerSetup.5.0.20243.10853-latest.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Wireshark.exe

pid	Process
8072	Wireshark.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exetaskmgr.exe

pid	Process
3016	powershell.exe
3016	powershell.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

taskmgr.exeWireshark-4.2.5-x64.exeWireshark.exe

pid	Process
2120	taskmgr.exe
7508	Wireshark-4.2.5-x64.exe
8072	Wireshark.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid	Process
652
652
652
652
652
652

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

Processes:

msedge.exechrome.exe

pid	Process
6376	msedge.exe
6376	msedge.exe
6376	msedge.exe
6376	msedge.exe
6376	msedge.exe
6376	msedge.exe
6376	msedge.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe
6376	msedge.exe
6376	msedge.exe
6376	msedge.exe
5912	chrome.exe
5912	chrome.exe
5912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Growtoken.exepowershell.exetaskmgr.exefirefox.exeAUDIODG.EXEGrowtoken.exepowershell.exeFiddlerSetup.exeFiddler.exeFiddler.exeFiddler.exeGrowtoken.exechrome.exeFiddler.exe

description	pid	Process
Token: SeDebugPrivilege	32	Growtoken.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2120	taskmgr.exe
Token: SeSystemProfilePrivilege	2120	taskmgr.exe
Token: SeCreateGlobalPrivilege	2120	taskmgr.exe
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeDebugPrivilege	3596	firefox.exe
Token: 33	3544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3544	AUDIODG.EXE
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeDebugPrivilege	4052	Growtoken.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeDebugPrivilege	4632	FiddlerSetup.exe
Token: SeDebugPrivilege	4632	FiddlerSetup.exe
Token: SeDebugPrivilege	4632	FiddlerSetup.exe
Token: SeDebugPrivilege	4632	FiddlerSetup.exe
Token: SeDebugPrivilege	4632	FiddlerSetup.exe
Token: SeDebugPrivilege	4632	FiddlerSetup.exe
Token: 33	2120	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2120	taskmgr.exe
Token: SeDebugPrivilege	3640	Fiddler.exe
Token: SeDebugPrivilege	6004	Fiddler.exe
Token: SeDebugPrivilege	5168	Fiddler.exe
Token: SeDebugPrivilege	5312	Growtoken.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeDebugPrivilege	7628	Fiddler.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe
Token: SeShutdownPrivilege	5912	chrome.exe
Token: SeCreatePagefilePrivilege	5912	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exefirefox.exe

pid	Process
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exefirefox.exe

pid	Process
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe
2120	taskmgr.exe

Suspicious use of SetWindowsHookEx 53 IoCs

Processes:

firefox.exeFiddler.exeFiddler.exeFiddler.exeFiddler.exeFiddler.exe

pid	Process
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3640	Fiddler.exe
3640	Fiddler.exe
6004	Fiddler.exe
6004	Fiddler.exe
5168	Fiddler.exe
5168	Fiddler.exe
7628	Fiddler.exe
7628	Fiddler.exe
4388	Fiddler.exe
4388	Fiddler.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Growtoken.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 32 wrote to memory of 2192	32	Growtoken.exe	83
PID 32 wrote to memory of 2192	32	Growtoken.exe	83
PID 32 wrote to memory of 2192	32	Growtoken.exe	83
PID 32 wrote to memory of 3016	32	Growtoken.exe	84
PID 32 wrote to memory of 3016	32	Growtoken.exe	84
PID 2464 wrote to memory of 3596	2464	firefox.exe	122
PID 2464 wrote to memory of 3596	2464	firefox.exe	122
PID 2464 wrote to memory of 3596	2464	firefox.exe	122
PID 2464 wrote to memory of 3596	2464	firefox.exe	122
PID 2464 wrote to memory of 3596	2464	firefox.exe	122
PID 2464 wrote to memory of 3596	2464	firefox.exe	122
PID 2464 wrote to memory of 3596	2464	firefox.exe	122
PID 2464 wrote to memory of 3596	2464	firefox.exe	122
PID 2464 wrote to memory of 3596	2464	firefox.exe	122
PID 2464 wrote to memory of 3596	2464	firefox.exe	122
PID 2464 wrote to memory of 3596	2464	firefox.exe	122
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 376	3596	firefox.exe	123
PID 3596 wrote to memory of 4296	3596	firefox.exe	124
PID 3596 wrote to memory of 4296	3596	firefox.exe	124
PID 3596 wrote to memory of 4296	3596	firefox.exe	124
PID 3596 wrote to memory of 4296	3596	firefox.exe	124
PID 3596 wrote to memory of 4296	3596	firefox.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Growtoken.exe
"C:\Users\Admin\AppData\Local\Temp\Growtoken.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.0.2129323199\1596060900" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bac1514-fea9-4f22-b6e2-27a8fdd666ce} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 1896 22d54725e58 gpu
    3⤵
    PID:376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.1.940271048\1395709148" -parentBuildID 20230214051806 -prefsHandle 2452 -prefMapHandle 2440 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a917270-e471-448e-9cc1-1d81a6459114} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 2464 22d47a8a558 socket
    3⤵
    PID:4296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.2.1628602471\284259013" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {827f8bbe-391e-4fdb-b192-b35bf3d5e7dc} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 3000 22d57519858 tab
    3⤵
    PID:1384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.3.1714482219\856955554" -childID 2 -isForBrowser -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a616c684-e36e-4ad9-aec9-1e2b5e87c47a} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 4068 22d47a7ae58 tab
    3⤵
    PID:4864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.4.1561707699\666865510" -childID 3 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b37946e8-bf95-4230-b402-c6293d6d66f3} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5116 22d5bb77858 tab
    3⤵
    PID:3140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.5.364632861\1741524631" -childID 4 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4edcb73-19ee-474e-8c4f-19f644a26a31} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5176 22d5bb74e58 tab
    3⤵
    PID:1512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.6.861640061\286646907" -childID 5 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2f5881f-9c91-436f-b0b3-7ca20733867a} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5464 22d5bb75758 tab
    3⤵
    PID:3912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.7.209863640\1044814981" -childID 6 -isForBrowser -prefsHandle 6112 -prefMapHandle 6108 -prefsLen 31463 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0a48459-54cd-4d44-a2d1-d3975425349b} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 6116 22d61b90058 tab
    3⤵
    PID:3480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.8.152139100\1545217464" -childID 7 -isForBrowser -prefsHandle 6280 -prefMapHandle 6452 -prefsLen 31463 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c667e47b-73f0-4fbb-855a-2e13ebc00786} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 6352 22d5975b058 tab
    3⤵
    PID:5028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.9.910532106\502913685" -childID 8 -isForBrowser -prefsHandle 5608 -prefMapHandle 5360 -prefsLen 31724 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6cc6762-cf59-4b80-8256-8ab4357f41dc} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5556 22d5bb75758 tab
    3⤵
    PID:1584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.10.312633773\61003984" -childID 9 -isForBrowser -prefsHandle 4492 -prefMapHandle 5416 -prefsLen 31724 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac066c4f-2fa2-4ecc-bb23-53196402cb93} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5484 22d5bb76f58 tab
    3⤵
    PID:1136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.11.241745618\755402937" -childID 10 -isForBrowser -prefsHandle 5236 -prefMapHandle 6820 -prefsLen 31724 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c76866c1-4fce-4d63-85ec-7bf13ba3a16e} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 6840 22d61b8fa58 tab
    3⤵
    PID:2056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.12.1509964751\1209192491" -childID 11 -isForBrowser -prefsHandle 6232 -prefMapHandle 6228 -prefsLen 31724 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3956240-6fe5-418b-bf38-f0f41752048b} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 6220 22d5975a158 tab
    3⤵
    PID:4652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.13.358549270\1909868462" -childID 12 -isForBrowser -prefsHandle 6568 -prefMapHandle 6348 -prefsLen 31724 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d6d2334-e239-483f-8987-255ddccabebf} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 6980 22d6306fb58 tab
    3⤵
    PID:4460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.14.343251497\1489326086" -childID 13 -isForBrowser -prefsHandle 6300 -prefMapHandle 5028 -prefsLen 31764 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c083ce16-e932-466c-9554-5ad67c7308cb} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5112 22d5bb77b58 tab
    3⤵
    PID:5596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.15.804133947\200984383" -childID 14 -isForBrowser -prefsHandle 6284 -prefMapHandle 6684 -prefsLen 31912 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fafb5800-cf8e-4ba8-bed6-1475eab5df73} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 6100 22d5bb3cb58 tab
    3⤵
    PID:6140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.16.94620842\1995152095" -childID 15 -isForBrowser -prefsHandle 7404 -prefMapHandle 6164 -prefsLen 31912 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9709937-8411-47b9-9c49-350da73fa355} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 7412 22d60566158 tab
    3⤵
    PID:5136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.17.1118035016\2031831694" -parentBuildID 20230214051806 -prefsHandle 11156 -prefMapHandle 11096 -prefsLen 31912 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a017bf61-7091-47e9-8c1a-b3ab14b97fbc} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 11112 22d61976b58 rdd
    3⤵
    PID:5892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.18.278361906\51108712" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6876 -prefMapHandle 11052 -prefsLen 31912 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41201d92-dccb-4ea3-a65c-93152a1e53d3} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 11160 22d61978c58 utility
    3⤵
    PID:5332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.19.1281069090\1003070258" -childID 16 -isForBrowser -prefsHandle 7236 -prefMapHandle 5548 -prefsLen 31912 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e631164d-87e2-4a81-86c0-292b549edf7f} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 10360 22d63330458 tab
    3⤵
    PID:6028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.20.854351138\284601172" -childID 17 -isForBrowser -prefsHandle 10708 -prefMapHandle 10324 -prefsLen 31912 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5776b80c-265f-4e73-98ef-662a9f63af03} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 10724 22d5a37db58 tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.21.70717286\517939724" -childID 18 -isForBrowser -prefsHandle 9200 -prefMapHandle 9192 -prefsLen 31912 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4655f20-d67f-4267-8a88-19ee01d7df8d} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 9208 22d5a37e758 tab
    3⤵
    PID:4280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.22.900450605\1269918105" -childID 19 -isForBrowser -prefsHandle 10212 -prefMapHandle 10324 -prefsLen 31912 -prefMapSize 235121 -jsInitHandle 1176 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bef73bc-49a7-4191-ac7e-c55a42c8dd46} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 9144 22d67c59a58 tab
    3⤵
    PID:6036
- - C:\Users\Admin\Downloads\FiddlerSetup.5.0.20243.10853-latest.exe
    "C:\Users\Admin\Downloads\FiddlerSetup.5.0.20243.10853-latest.exe"
    3⤵
    - Executes dropped EXE
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\nsaD97D.tmp\FiddlerSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\nsaD97D.tmp\FiddlerSetup.exe" /D=
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4632
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
        5⤵
        Modifies Windows Firewall
        
        PID:2892
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
        5⤵
        Modifies Windows Firewall
        
        PID:6048
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
        5⤵
        
        PID:5756
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        
        PID:5884
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        
        PID:6384
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 28c -Pipe 29c -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:6784
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 0 -NGENProcess 290 -Pipe 2e4 -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:7012
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 2f0 -Pipe 2dc -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        
        PID:5952
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 2a8 -Pipe 2c4 -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3640
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 2e8 -Pipe 274 -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:7088
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 298 -Pipe 2e0 -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5512
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:7012
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 28c -Pipe 2a0 -Comment "NGen Worker Process"
        6⤵
        Drops file in Windows directory
        
        PID:1928
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 2f0 -Pipe 274 -Comment "NGen Worker Process"
        6⤵
        Drops file in Windows directory
        
        PID:3272
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 300 -Comment "NGen Worker Process"
        6⤵
        Drops file in Windows directory
        
        PID:1988
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 274 -Pipe 2e8 -Comment "NGen Worker Process"
        6⤵
        Drops file in Windows directory
        
        PID:6576
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 28c -Pipe 2a8 -Comment "NGen Worker Process"
        6⤵
        Drops file in Windows directory
        
        PID:2276
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
        5⤵
        
        PID:4720
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
        6⤵
        
        PID:4716
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 0 -NGENProcess 280 -Pipe 1e0 -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:620
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 0 -NGENProcess 2a4 -Pipe 2ac -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4400
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 0 -NGENProcess 2c4 -Pipe 288 -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:6228
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 2a0 -Pipe 2bc -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:6368
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 280 -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:6572
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 2b4 -Comment "NGen Worker Process"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:6840
    - - C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
        
        "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
        5⤵
        Executes dropped EXE
        
        PID:5160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff83c5446f8,0x7ff83c544708,0x7ff83c544718
        6⤵
        
        PID:6408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        6⤵
        
        PID:7132
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
        6⤵
        
        PID:7140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
        6⤵
        
        PID:3724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
        6⤵
        
        PID:4052
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
        6⤵
        
        PID:5868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
        6⤵
        
        PID:4712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
        6⤵
        
        PID:5548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
        6⤵
        
        PID:3052
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
        6⤵
        
        PID:2120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
        6⤵
        
        PID:6880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4992 /prefetch:2
        6⤵
        
        PID:5252
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:8
        6⤵
        
        PID:2072
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:8
        6⤵
        
        PID:7336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
        6⤵
        
        PID:7280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
        6⤵
        
        PID:7920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13543077791912202021,17413309939796659954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
        6⤵
        
        PID:2408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x340 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Users\Admin\Downloads\Growtoken.exe
"C:\Users\Admin\Downloads\Growtoken.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:4052
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6240

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2552

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Win8EL
  2⤵
  PID:4652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83c5446f8,0x7ff83c544708,0x7ff83c544718
    3⤵
    PID:6928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:6556

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5168

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2816

C:\Users\Admin\Downloads\Growtoken.exe
"C:\Users\Admin\Downloads\Growtoken.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:5312
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:7272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Loads dropped DLL
  PID:8020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff839deab58,0x7ff839deab68,0x7ff839deab78
  2⤵
  PID:6964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:2
  2⤵
  PID:6188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2304 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3956 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:7340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5004 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:8028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5112 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:8144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3244 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:7284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:6528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:7544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3140 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:7576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:7580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3256 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:7392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3176 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:7568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3516 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5268 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:6708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5008 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:7276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1576 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:7340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:7336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4656 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:7712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4540 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5056 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=1692 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=1680 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:8112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4204 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:7700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:5936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:7908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5632 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:7920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5644 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:8012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:2
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=3248 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=1860 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:7528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=4904 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:1
  2⤵
  PID:7040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:7260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5312 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:7148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5788 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:6804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=1560,i,9000202500559015416,6635530909485885352,131072 /prefetch:8
  2⤵
  PID:1616
- C:\Users\Admin\Downloads\Wireshark-4.2.5-x64.exe
  "C:\Users\Admin\Downloads\Wireshark-4.2.5-x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7508
- - C:\Program Files\Wireshark\vc_redist.x64.exe
    "C:\Program Files\Wireshark\vc_redist.x64.exe" /install /quiet /norestart
    3⤵
    - Executes dropped EXE
    PID:6488
  - - C:\Windows\Temp\{42486435-1A97-4005-B9A1-74254A486239}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{42486435-1A97-4005-B9A1-74254A486239}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\Wireshark\vc_redist.x64.exe" -burn.filehandle.attached=560 -burn.filehandle.self=572 /install /quiet /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:8072
    - - C:\Windows\Temp\{39342502-EFBF-4993-89C1-81005AF894DD}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{39342502-EFBF-4993-89C1-81005AF894DD}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{A0723AD5-661F-46FB-ABD4-6E0E47758CAF} {4995D62B-FED8-4F9D-8378-17348EEE68AB} 8072
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:7756
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1108 -burn.embedded BurnPipe.{D4254406-6FEC-4CED-BDD8-2267BBA75435} {C3221F62-8FEF-4EF5-B83B-E2EE3D8A0C53} 7756
        6⤵
        
        PID:2200
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1108 -burn.embedded BurnPipe.{D4254406-6FEC-4CED-BDD8-2267BBA75435} {C3221F62-8FEF-4EF5-B83B-E2EE3D8A0C53} 7756
        7⤵
        Loads dropped DLL
        
        PID:5528
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{DB63E21F-DA4C-48FA-9D83-D51108C5D334} {DA4577E0-B977-4209-AFBE-3AD032F343E4} 5528
        8⤵
        Modifies registry class
        
        PID:8012
- - C:\Program Files\Wireshark\npcap-1.78.exe
    "C:\Program Files\Wireshark\npcap-1.78.exe" /winpcap_mode=no /loopback_support=no
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\nsm601A.tmp\NPFInstall.exe
      "C:\Users\Admin\AppData\Local\Temp\nsm601A.tmp\NPFInstall.exe" -n -check_dll
      4⤵
      Executes dropped EXE
      PID:7952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43){certutil.exe -verifystore 'Root' '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43}}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5520
    - - C:\Windows\SysWOW64\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -verifystore Root 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
        5⤵
        Manipulates Digital Signatures
        
        PID:5832
  - - C:\Windows\SysWOW64\certutil.exe
      certutil.exe -verifystore "Root" "0563b8630d62d75abbc8ab1e4bdfb5a899b24d43"
      4⤵
      PID:5344
  - - C:\Windows\SysWOW64\certutil.exe
      certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsm601A.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst"
      4⤵
      PID:5752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7416
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25){certutil.exe -verifystore 'Root' '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25}}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5084
    - - C:\Windows\SysWOW64\certutil.exe
        
        "C:\Windows\system32\certutil.exe" -verifystore Root 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
        5⤵
        
        PID:7344
  - - C:\Windows\SysWOW64\certutil.exe
      certutil.exe -verifystore "Root" "5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25"
      4⤵
      PID:6068
  - - C:\Windows\SysWOW64\certutil.exe
      certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsm601A.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst"
      4⤵
      PID:7844
  - - C:\Windows\SysWOW64\certutil.exe
      certutil.exe -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nsm601A.tmp\signing.p7b"
      4⤵
      Manipulates Digital Signatures
      PID:8040
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -c
      4⤵
      Executes dropped EXE
      PID:5288
    - - C:\Windows\SYSTEM32\pnputil.exe
        
        pnputil.exe -e
        5⤵
        
        PID:6680
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
      4⤵
      Executes dropped EXE
      PID:5052
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -i
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      PID:2268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4504
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5716

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7712

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:6988

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:7824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5004
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{532614f5-2147-1448-956e-5297b8f51e5c}\NPCAP.inf" "9" "405306be3" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Npcap"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2332

C:\Program Files\Wireshark\Wireshark.exe
"C:\Program Files\Wireshark\Wireshark.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:8072
- C:\Program Files\Wireshark\extcap\etwdump.exe
  "C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-interfaces --extcap-version=4.2
  2⤵
  - Executes dropped EXE
  PID:6864
- C:\Program Files\Wireshark\extcap\etwdump.exe
  "C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-config --extcap-interface etwdump
  2⤵
  - Executes dropped EXE
  PID:7632
- C:\Program Files\Wireshark\dumpcap.exe
  "C:\Program Files\Wireshark\dumpcap.exe" -D -Z none
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:8136
- C:\Program Files\Wireshark\dumpcap.exe
  "C:\Program Files\Wireshark\dumpcap.exe" -i \Device\NPF_Loopback -L --list-time-stamp-types -Z none
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:7616
- C:\Program Files\Wireshark\extcap\etwdump.exe
  "C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-dlts --extcap-interface etwdump
  2⤵
  - Executes dropped EXE
  PID:8184
- C:\Program Files\Wireshark\dumpcap.exe
  "C:\Program Files\Wireshark\dumpcap.exe" -S -Z 8072.dummy
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:1368
- C:\Program Files\Wireshark\dumpcap.exe
  "C:\Program Files\Wireshark\dumpcap.exe" -n -i \Device\NPF_Loopback -Z 8072
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:8480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery