543d09f282d15e773c40af1755c0b496d73127e24e4af5f6860f2c351e5ebcf5

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	vc_redist.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	BetaGameTester.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	BetaGameTester.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	BetaGameTester.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	BetaGameTester.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1536	powershell.exe
3500	cmd.exe

Executes dropped EXE 22 IoCs

pid	Process
1836	Wireshark-4.2.6-x64.exe
2260	vc_redist.x64.exe
3760	vc_redist.x64.exe
3640	VC_redist.x64.exe
6064	npcap-1.78.exe
224	NPFInstall.exe
5224	NPFInstall.exe
5648	NPFInstall.exe
5656	NPFInstall.exe
5508	Wireshark.exe
3468	etwdump.exe
2600	etwdump.exe
2216	dumpcap.exe
2352	dumpcap.exe
5040	etwdump.exe
3676	dumpcap.exe
4136	BetaGameTester.exe
2900	BetaGameTester.exe
2904	BetaGameTester.exe
4004	BetaGameTester.exe
2608	BetaGameTester.exe
2704	BetaGameTester.exe

Loads dropped DLL 64 IoCs

pid	Process
1836	Wireshark-4.2.6-x64.exe
1836	Wireshark-4.2.6-x64.exe
1836	Wireshark-4.2.6-x64.exe
1836	Wireshark-4.2.6-x64.exe
1836	Wireshark-4.2.6-x64.exe
1836	Wireshark-4.2.6-x64.exe
1836	Wireshark-4.2.6-x64.exe
1836	Wireshark-4.2.6-x64.exe
3760	vc_redist.x64.exe
5784	VC_redist.x64.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
6064	npcap-1.78.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe
5508	Wireshark.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupPV9I8p = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\BetaGameTester.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
418	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
269	ipinfo.io
270	ipinfo.io

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cf3e84e-caa1-1d46-b7be-e46320723f8a}\SETDA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_8bd33bba90c49bc9\npcap.PNF	NPFInstall.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_8bd33bba90c49bc9\npcap.sys	DrvInst.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.78.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.78.exe
File created	C:\Windows\System32\DriverStore\Temp\{3cf3e84e-caa1-1d46-b7be-e46320723f8a}\SETC9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cf3e84e-caa1-1d46-b7be-e46320723f8a}\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.78.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	NPFInstall.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.78.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	NPFInstall.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cf3e84e-caa1-1d46-b7be-e46320723f8a}\SETC9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	NPFInstall.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.78.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cf3e84e-caa1-1d46-b7be-e46320723f8a}	DrvInst.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cf3e84e-caa1-1d46-b7be-e46320723f8a}\npcap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_8bd33bba90c49bc9\NPCAP.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cf3e84e-caa1-1d46-b7be-e46320723f8a}\SETDB.tmp	DrvInst.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cf3e84e-caa1-1d46-b7be-e46320723f8a}\NPCAP.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.78.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.78.exe
File created	C:\Windows\System32\DriverStore\Temp\{3cf3e84e-caa1-1d46-b7be-e46320723f8a}\SETDA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_8bd33bba90c49bc9\npcap.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	NPFInstall.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
232	cmd.exe
3852	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Wireshark\snmp\mibs\IPMROUTE-STD-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\UPS-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChTelH225.html	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-calcappprotocol-statistics.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-pref-appearance.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\ws.css	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\translations\qt_nn.qm	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\Modem-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\VRRP-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\IANA-FINISHER-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.chillispot	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.terena	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\APPN-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\DOCS-IETF-BPI2-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\RSTP-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\TUBS-IBR-TNM-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.bintec	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\NOTIFICATION-LOG-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\RFC1414-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\SNMP-VIEW-BASED-ACM-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\SNMPv2-TC	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.eltex	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.telebit	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\[email protected]	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChMateConfigurationLibrary.html	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChMateReferenceManual.html	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChapterAdvanced.html	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-edit-menu.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-sctp-1-association.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\libspandsp-2.dll	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\wireshark-filter.html	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.infoblox	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.valemount	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\POLICY-FRAMEWORK-PIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-export-objects.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\diameter\AlcatelLucent.xml	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\diameter\Nokia.xml	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\generic\qtuiotouchplugin.dll	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\DOCS-IF-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\SIP-UA-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\[email protected]	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChAppFilesConfigurationSection.html	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-coloring-fields.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-mate-transform.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\PPP-SEC-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-bt-hci-summary.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.freedhcp	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\Finisher-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\HDSL2-SHDSL-LINE-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\ietf-netconf-acm.yang	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChCapLinkLayerHeader.html	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-list-pane.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-view-menu.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\radius\dictionary.walabi	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\ietf-snmp-engine.yang	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChStatIPv6.html	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\ChTelVoipCalls.html	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-export-packet-dissections.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-follow-stream.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\Wireshark User's Guide\images\ws-mate-pdu_analysis.png	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\dtds\smil.dtd	Wireshark-4.2.6-x64.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Wireshark\snmp\mibs\DOT12-RPTR-MIB	Wireshark-4.2.6-x64.exe
File created	C:\Program Files\Wireshark\snmp\mibs\COPS-PR-SPPI-TC	Wireshark-4.2.6-x64.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5da923.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACFD.tmp	msiexec.exe
File created	C:\Windows\Installer\e5da935.msi	msiexec.exe
File created	C:\Windows\Installer\e5da936.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5da936.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	NPFInstall.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D5D19E2F-7189-42FE-8103-92CD1FA457C2}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB115.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\Installer\e5da923.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5da94b.msi	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB17.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0025DD72-A959-45B5-A0A3-7EFEB15A8050}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB367.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wireshark-4.2.6-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BetaGameTester.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npcap-1.78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5192	netsh.exe
5792	cmd.exe

Checks SCSI registry key(s) 3 TTPs 47 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d6be30f9a4b6bc740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d6be30f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d6be30f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd6be30f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d6be30f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	BetaGameTester.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	BetaGameTester.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	BetaGameTester.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	BetaGameTester.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	NPFInstall.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	NPFInstall.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe

Checks processor information in registry 2 TTPs 37 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	dumpcap.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Wireshark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dumpcap.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Wireshark.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	BetaGameTester.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	BetaGameTester.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Wireshark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Wireshark.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	BetaGameTester.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	dumpcap.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Wireshark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BetaGameTester.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BetaGameTester.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Wireshark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dumpcap.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	dumpcap.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	BetaGameTester.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	BetaGameTester.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Wireshark.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	dumpcap.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
764	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 63 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690694154524604"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ipfix\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	systempropertiesadvanced.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\PackageCode = "73C8C8E4844B0BB4A8B86F043B32F917"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\Shell\open\command\ = "\"C:\\Program Files\\Wireshark\\Wireshark.exe\" \"%1\""	Wireshark-4.2.6-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\PackageCode = "1BE5B2DDE80EDC54D874D240756DB43A"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.trace\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Dependents	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.acp\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.atc\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lcap\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\27DD5200959A5B540A3AE7EF1BA50805	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pcap	Wireshark-4.2.6-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vwr\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apc	Wireshark-4.2.6-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.5vw	Wireshark-4.2.6-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mplog\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bfr	Wireshark-4.2.6-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27DD5200959A5B540A3AE7EF1BA50805\Servicing_Key	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ntar	Wireshark-4.2.6-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pklg\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7}	VC_redist.x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fdc	Wireshark-4.2.6-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pklg	Wireshark-4.2.6-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.trc\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Version = "237272852"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lcap	Wireshark-4.2.6-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pcap\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wireshark-capture-file\ = "Wireshark capture file"	Wireshark-4.2.6-x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fdc\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\VC_Runtime_Minimum	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.apc\ = "wireshark-capture-file"	Wireshark-4.2.6-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\F2E91D5D9817EF24183029DCF14A752C	msiexec.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5540	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5844	explorer.exe
5508	Wireshark.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3928	chrome.exe
3928	chrome.exe
5428	msedge.exe
5428	msedge.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5924	chrome.exe
5924	chrome.exe
1524	msiexec.exe
1524	msiexec.exe
1524	msiexec.exe
1524	msiexec.exe
1524	msiexec.exe
1524	msiexec.exe
1524	msiexec.exe
1524	msiexec.exe
224	NPFInstall.exe
224	NPFInstall.exe
2608	powershell.exe
2608	powershell.exe
4212	powershell.exe
4212	powershell.exe
3476	powershell.exe
3476	powershell.exe
1572	powershell.exe
1572	powershell.exe
5384	powershell.exe
5384	powershell.exe
5272	powershell.exe
5272	powershell.exe
5840	chrome.exe
5840	chrome.exe
5440	BetaGameTester.exe
5440	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
2156	powershell.exe
2156	powershell.exe
2156	powershell.exe
2284	powershell.exe
2284	powershell.exe
2284	powershell.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe
4136	BetaGameTester.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5688	systempropertiesadvanced.exe
5508	Wireshark.exe

Suspicious behavior: LoadsDriver 7 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe
Token: SeShutdownPrivilege	3928	chrome.exe
Token: SeCreatePagefilePrivilege	3928	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5924	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe
5840	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1836	Wireshark-4.2.6-x64.exe
2260	vc_redist.x64.exe
3760	vc_redist.x64.exe
3640	VC_redist.x64.exe
5824	VC_redist.x64.exe
5784	VC_redist.x64.exe
6128	VC_redist.x64.exe
6064	npcap-1.78.exe
224	NPFInstall.exe
5224	NPFInstall.exe
5648	NPFInstall.exe
5656	NPFInstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 2696	3928	chrome.exe	102
PID 3928 wrote to memory of 2696	3928	chrome.exe	102
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 3004	3928	chrome.exe	103
PID 3928 wrote to memory of 4496	3928	chrome.exe	104
PID 3928 wrote to memory of 4496	3928	chrome.exe	104
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105
PID 3928 wrote to memory of 1060	3928	chrome.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
780	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\BetaGameTester_MALWARE_DO_NOT_RUN.zip
1⤵
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb008cc40,0x7ffcb008cc4c,0x7ffcb008cc58
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1708 /prefetch:2
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2004,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3680,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3712,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4924,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=1184,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4592,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3404,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3384,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5804,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5704,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5692,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5552,i,17821249414973767734,14256117694192517757,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:6088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultc52b0355hebb5h4715h9377hcc6fd12b9e2f
1⤵
PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcac6246f8,0x7ffcac624708,0x7ffcac624718
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14808878285635900589,9333069406567937624,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,14808878285635900589,9333069406567937624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,14808878285635900589,9333069406567937624,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:5512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5732

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" SYSTEM
1⤵
PID:5808

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:5844
- C:\Windows\system32\systempropertiesadvanced.exe
  "C:\Windows\system32\systempropertiesadvanced.exe"
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcb008cc40,0x7ffcb008cc4c,0x7ffcb008cc58
  2⤵
  PID:5948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,10621276655792107665,783297792299809190,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,10621276655792107665,783297792299809190,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,10621276655792107665,783297792299809190,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:5876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,10621276655792107665,783297792299809190,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,10621276655792107665,783297792299809190,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3660,i,10621276655792107665,783297792299809190,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,10621276655792107665,783297792299809190,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:5460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,10621276655792107665,783297792299809190,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4784,i,10621276655792107665,783297792299809190,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:5384

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4264

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ssl-key.log
1⤵
PID:224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1760

C:\Users\Admin\Downloads\Wireshark-4.2.6-x64.exe
"C:\Users\Admin\Downloads\Wireshark-4.2.6-x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1836
- C:\Program Files\Wireshark\vc_redist.x64.exe
  "C:\Program Files\Wireshark\vc_redist.x64.exe" /install /quiet /norestart
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2260
- - C:\Windows\Temp\{A1739FF2-2EE6-4DFC-B538-1AEAF86FEC1F}\.cr\vc_redist.x64.exe
    "C:\Windows\Temp\{A1739FF2-2EE6-4DFC-B538-1AEAF86FEC1F}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\Wireshark\vc_redist.x64.exe" -burn.filehandle.attached=580 -burn.filehandle.self=576 /install /quiet /norestart
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3760
  - - C:\Windows\Temp\{34EED25C-8915-4FDC-A32F-ED0C024BF14C}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{34EED25C-8915-4FDC-A32F-ED0C024BF14C}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{4FE9A5E3-D0E6-4BAC-B48E-5A69FA826A15} {30522327-458A-47FA-83A6-572EC1CF62D4} 3760
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:3640
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{91DCD40F-46C1-4BC5-BF0E-DFA75694D3F6} {E2BB57A5-2E54-41DF-8CBC-260EB34D270D} 3640
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5824
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=1176 -burn.embedded BurnPipe.{91DCD40F-46C1-4BC5-BF0E-DFA75694D3F6} {E2BB57A5-2E54-41DF-8CBC-260EB34D270D} 3640
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5784
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{9968725C-8B3C-4543-911D-E1A5F807AC7A} {CEE0BFBC-7E46-4EFD-8AF7-0BD0309F8D18} 5784
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:6128
- C:\Program Files\Wireshark\npcap-1.78.exe
  "C:\Program Files\Wireshark\npcap-1.78.exe" /winpcap_mode=no /loopback_support=no
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6064
- - C:\Users\Admin\AppData\Local\Temp\nsdC151.tmp\NPFInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\nsdC151.tmp\NPFInstall.exe" -n -check_dll
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43){certutil.exe -verifystore 'Root' '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43}}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4212
  - - C:\Windows\SysWOW64\certutil.exe
      "C:\Windows\system32\certutil.exe" -verifystore Root 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:2560
- - C:\Windows\SysWOW64\certutil.exe
    certutil.exe -verifystore "Root" "0563b8630d62d75abbc8ab1e4bdfb5a899b24d43"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:364
- - C:\Windows\SysWOW64\certutil.exe
    certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsdC151.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3476
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "If (Get-ChildItem Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25){certutil.exe -verifystore 'Root' '5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25';If($LASTEXITCODE -ne 0){Remove-Item Cert:\LocalMachine\Root\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25}}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1572
  - - C:\Windows\SysWOW64\certutil.exe
      "C:\Windows\system32\certutil.exe" -verifystore Root 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
      4⤵
      System Location Discovery: System Language Discovery
      PID:2540
- - C:\Windows\SysWOW64\certutil.exe
    certutil.exe -verifystore "Root" "5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:700
- - C:\Windows\SysWOW64\certutil.exe
    certutil.exe -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsdC151.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668
- - C:\Windows\SysWOW64\certutil.exe
    certutil.exe -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nsdC151.tmp\signing.p7b"
    3⤵
    - Manipulates Digital Signatures
    - System Location Discovery: System Language Discovery
    PID:5932
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -c
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5224
  - - C:\Windows\SYSTEM32\pnputil.exe
      pnputil.exe -e
      4⤵
      PID:2068
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5648
- - C:\Program Files\Npcap\NPFInstall.exe
    "C:\Program Files\Npcap\NPFInstall.exe" -n -i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    PID:5656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5384
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2348

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:5804

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3488
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{70ebf253-bf57-f34e-a599-aacc0bf84678}\NPCAP.inf" "9" "405306be3" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Npcap"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2216

C:\Program Files\Wireshark\Wireshark.exe
"C:\Program Files\Wireshark\Wireshark.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5508
- C:\Program Files\Wireshark\extcap\etwdump.exe
  "C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-interfaces --extcap-version=4.2
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Program Files\Wireshark\extcap\etwdump.exe
  "C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-config --extcap-interface etwdump
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Program Files\Wireshark\dumpcap.exe
  "C:\Program Files\Wireshark\dumpcap.exe" -D -Z none
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:2216
- C:\Program Files\Wireshark\dumpcap.exe
  "C:\Program Files\Wireshark\dumpcap.exe" -i \Device\NPF_Loopback -L --list-time-stamp-types -Z none
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:2352
- C:\Program Files\Wireshark\extcap\etwdump.exe
  "C:\Program Files\Wireshark\extcap\etwdump.exe" --extcap-dlts --extcap-interface etwdump
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Program Files\Wireshark\dumpcap.exe
  "C:\Program Files\Wireshark\dumpcap.exe" -S -Z 5508.dummy
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:3676

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4536
- C:\Windows\system32\net.exe
  net start npcap
  2⤵
  PID:512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start npcap
    3⤵
    PID:2624
- C:\Windows\system32\net.exe
  net start npf
  2⤵
  PID:3496
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start npf
    3⤵
    PID:4212
- C:\Windows\system32\net.exe
  net start npcap
  2⤵
  PID:4228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start npcap
    3⤵
    PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb008cc40,0x7ffcb008cc4c,0x7ffcb008cc58
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,15304548368885179940,13174579766824282039,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,15304548368885179940,13174579766824282039,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,15304548368885179940,13174579766824282039,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=2480 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,15304548368885179940,13174579766824282039,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,15304548368885179940,13174579766824282039,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4604,i,15304548368885179940,13174579766824282039,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,15304548368885179940,13174579766824282039,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,15304548368885179940,13174579766824282039,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4816,i,15304548368885179940,13174579766824282039,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3708,i,15304548368885179940,13174579766824282039,262144 --variations-seed-version=20240823-130058.581000 --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:4948

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5612

C:\Users\Admin\Desktop\BetaGameTester.exe
"C:\Users\Admin\Desktop\BetaGameTester.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5440

C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe
"C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=5440 get ExecutablePath"
  2⤵
  PID:3004
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=5440 get ExecutablePath
    3⤵
    PID:4576
- C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe
  "C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\descimbrariamos" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2036 --field-trial-handle=2024,i,4054526794942897895,5618608028067454628,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe
  "C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\descimbrariamos" --mojo-platform-channel-handle=2144 --field-trial-handle=2024,i,4054526794942897895,5618608028067454628,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:624
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:4752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:3468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:4228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:5364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:4900
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:4412
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:1616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4140
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:5112
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:764
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:4676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
  2⤵
  PID:3360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4136 get ExecutablePath"
  2⤵
  PID:1536
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=4136 get ExecutablePath
    3⤵
    PID:5808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:1760
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:952
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:6064
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  PID:5800
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:5844
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
  2⤵
  PID:6020
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
    3⤵
    PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
  2⤵
  PID:1280
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
    3⤵
    PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
  2⤵
  PID:2308
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
    3⤵
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
  2⤵
  PID:212
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
    3⤵
    PID:5556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
  2⤵
  PID:5308
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
    3⤵
    PID:5644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
  2⤵
  PID:424
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
  2⤵
  PID:4728
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
    3⤵
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
  2⤵
  PID:5536
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
    3⤵
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)""
  2⤵
  PID:1616
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 124.0.2 (x64 en-US)"
    3⤵
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
  2⤵
  PID:2280
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
    3⤵
    PID:5132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
  2⤵
  PID:4980
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
    3⤵
    PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
  2⤵
  PID:3336
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
  2⤵
  PID:2156
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
    3⤵
    PID:1192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
  2⤵
  PID:5628
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
    3⤵
    PID:5260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
  2⤵
  PID:5000
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
    3⤵
    PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}""
  2⤵
  PID:1420
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}"
    3⤵
    PID:5780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
  2⤵
  PID:1012
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
    3⤵
    PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
  2⤵
  PID:5956
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
    3⤵
    PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
    3⤵
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
  2⤵
  PID:5804
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
    3⤵
    PID:1120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
  2⤵
  PID:5372
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
    3⤵
    PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
  2⤵
  PID:1436
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
    3⤵
    PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
  2⤵
  PID:1080
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
    3⤵
    PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
  2⤵
  PID:5652
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
    3⤵
    PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
  2⤵
  PID:5648
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
    3⤵
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
  2⤵
  PID:2516
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
    3⤵
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
  2⤵
  PID:320
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
    3⤵
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
  2⤵
  PID:5560
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
    3⤵
    PID:5352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
  2⤵
  PID:5456
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
    3⤵
    PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
  2⤵
  PID:4536
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
    3⤵
    PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
  2⤵
  PID:2352
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
    3⤵
    PID:5844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
  2⤵
  PID:3368
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
    3⤵
    PID:5136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
  2⤵
  PID:1724
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
    3⤵
    PID:5860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
  2⤵
  PID:2168
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
  2⤵
  PID:2912
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
    3⤵
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
  2⤵
  PID:5472
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
    3⤵
    PID:5812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
  2⤵
  PID:2560
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
    3⤵
    PID:5636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
  2⤵
  PID:3944
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
    3⤵
    PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}""
  2⤵
  PID:660
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}"
    3⤵
    PID:5536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
  2⤵
  PID:5032
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
    3⤵
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\CmRiqxm8wyDV_tezmp.ps1""
  2⤵
  PID:916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\CmRiqxm8wyDV_tezmp.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
  2⤵
  PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
  2⤵
  PID:4676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "function Get-AntiVirusProduct {
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:3500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:5792
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:5260
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:3320
- C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe
  "C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\descimbrariamos" --app-path="C:\Users\Admin\AppData\Local\Programs\descimbrariamos\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=20184 --field-trial-handle=2024,i,4054526794942897895,5618608028067454628,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4004
- C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe
  "C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\descimbrariamos" --app-path="C:\Users\Admin\AppData\Local\Programs\descimbrariamos\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=20200 --field-trial-handle=2024,i,4054526794942897895,5618608028067454628,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2608
- C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe
  "C:\Users\Admin\AppData\Local\Programs\descimbrariamos\BetaGameTester.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\descimbrariamos" --app-path="C:\Users\Admin\AppData\Local\Programs\descimbrariamos\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=20640 --field-trial-handle=2024,i,4054526794942897895,5618608028067454628,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupPV9I8p /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BetaGameTester.exe /f"
  2⤵
  PID:3952
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupPV9I8p /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BetaGameTester.exe /f
    3⤵
    - Adds Run key to start application
    PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupPV9I8p /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BetaGameTester.exe\" /F /rl highest"
  2⤵
  PID:1032
- - C:\Windows\system32\cmd.exe
    cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupPV9I8p /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BetaGameTester.exe\" /F /rl highest
    3⤵
    PID:4700
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc onlogon /tn WindowsDriverSetupPV9I8p /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BetaGameTester.exe\" /F /rl highest
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BetaGameTester.exe\"""
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  PID:232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BetaGameTester.exe\""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:3852
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BetaGameTester.exe
      4⤵
      Views/modifies file attributes
      PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Failed' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
  2⤵
  PID:4888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
  2⤵
  PID:692
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:6068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\duaZsQ9WYCl5.vbs"
  2⤵
  PID:5544
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Roaming\duaZsQ9WYCl5.vbs
    3⤵
    PID:5412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh interface set interface "Ethernet" admin=disable"
  2⤵
  PID:1192
- - C:\Windows\system32\netsh.exe
    netsh interface set interface "Ethernet" admin=disable
    3⤵
    PID:2488
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get locale
  2⤵
  PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo wlan"
  2⤵
  PID:5684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh wlan disconnect"
  2⤵
  PID:2980
- - C:\Windows\system32\netsh.exe
    netsh wlan disconnect
    3⤵
    PID:5648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery