hxxps://github[.]com/RCode777/Windows-DDoS-Tools

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation	nmap.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation	nmap.exe

Executes dropped EXE 12 IoCs

pid	Process
2156	nmap-7.80-setup.exe
5184	npcap-0.9982-oem.exe
4592	NPFInstall.exe
2188	NPFInstall.exe
5656	NPFInstall.exe
2204	NPFInstall.exe
392	nmap-7.80-setup.exe
2272	zenmap.exe
3352	nmap.exe
6820	nmap.exe
4236	nmap.exe
5276	nmap.exe

Loads dropped DLL 64 IoCs

pid	Process
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
5184	npcap-0.9982-oem.exe
2156	nmap-7.80-setup.exe
2156	nmap-7.80-setup.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe
2272	zenmap.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b7dc1d9c31bf0bbe\npcap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b7dc1d9c31bf0bbe\NPCAP.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-0.9982-oem.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	NPFInstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{691bf31b-e5e6-af4b-b043-452d05818705}\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{691bf31b-e5e6-af4b-b043-452d05818705}\SET44FB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-0.9982-oem.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-0.9982-oem.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{691bf31b-e5e6-af4b-b043-452d05818705}\SET44EA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{691bf31b-e5e6-af4b-b043-452d05818705}\NPCAP.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{691bf31b-e5e6-af4b-b043-452d05818705}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-0.9982-oem.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-0.9982-oem.exe
File created	C:\Windows\System32\DriverStore\Temp\{691bf31b-e5e6-af4b-b043-452d05818705}\SET44FB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-0.9982-oem.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-0.9982-oem.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b7dc1d9c31bf0bbe\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{691bf31b-e5e6-af4b-b043-452d05818705}\SET44EA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{691bf31b-e5e6-af4b-b043-452d05818705}\SET44FA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{691bf31b-e5e6-af4b-b043-452d05818705}\SET44FA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_b7dc1d9c31bf0bbe\npcap.PNF	NPFInstall.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\loop.sys	DrvInst.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-0.9982-oem.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{691bf31b-e5e6-af4b-b043-452d05818705}\npcap.sys	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nmap\scripts\dict-info.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\stun-version.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\intl.dll	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\iec-identify.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ipidseq.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\netbus-version.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\dhcp6.lua	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\jdwp-class\JDWPExecCmd.class	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\vl_3_75.png	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\etc\gtk-2.0\im-multipress.conf	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\COPYING	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\deluge-rpc-brute.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-comments-displayer.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\snmp-sysdescr.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\sslcert.lua	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ftp-syst.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ipv6-multicast-mld-list.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\geoip.lua	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\libssh2.luadoc	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\freebsd_32.png	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-unsafe-output-escaping.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ncp-enum-users.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\rdp-ntlm-info.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-vuln-ms06-025.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ssl-ccs-injection.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\ssh1.lua	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\omron-info.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\epmd-info.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-method-tamper.nse	nmap-7.80-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\libcairo-2.dll	nmap-7.80-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\libgdk_pixbuf-2.0-0.dll	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\bjnp-discover.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-vuln-ms10-061.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\xmpp-brute.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\enterprise_numbers.txt	nmap-7.80-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\libpango-1.0-0.dll	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\ventrilo-info.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\psexec\examples.lua	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\locale\it\LC_MESSAGES\zenmap.mo	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-slowloris.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\mysql-query.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\riak-http-info.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\tableaux.lua	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\oracle-sids	nmap-7.80-setup.exe
File created	C:\Program Files\Npcap\npcap.sys	npcap-0.9982-oem.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\radialnet\router.png	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libasprintf-0.dll	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-hp-ilo-info.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-rfi-spider.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\data\psexec\backdoor.lua	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\share\zenmap\pixmaps\redhat_75.png	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\etc\bash_completion.d\gsettings-bash-completion.sh	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\dns-ip6-arpa-scan.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\http-vuln-cve2012-1823.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\scripts\smb-protocols.nse	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\rdp.lua	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\py2exe\etc\pango\pango.modules	nmap-7.80-setup.exe
File opened for modification	C:\Program Files (x86)\Nmap\py2exe\libatk-1.0-0.dll	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\amqp.lua	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\wsdd.lua	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\datafiles.lua	nmap-7.80-setup.exe
File created	C:\Program Files (x86)\Nmap\nselib\json.lua	nmap-7.80-setup.exe
File opened for modification	C:\Program Files\Npcap\install.log	npcap-0.9982-oem.exe
File created	C:\Program Files (x86)\Nmap\py2exe\libgdk-win32-2.0-0.dll	nmap-7.80-setup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-mobile-hub\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-notification-shared\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-tokenized-card\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-tokenized-card\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\Wallet-BuyNow\wallet-buynow.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\_locales\vi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\128.png	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\hyph-cs.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_922960295\Filtering Rules	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-ec\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-ec\pl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-tokenized-card\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\wallet\wallet-checkout\merchant-site-info.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1109338180\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\hyph-tk.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1908637976\product_page.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-mobile-hub\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-shared-components\pl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\Mini-Wallet\mini-wallet.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\vendor.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\_locales\ka\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\_locales\es\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_655021328\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\hyph-pt.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\hyph-sq.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-notification\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-notification-shared\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\_locales\en_CA\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\hyph-nl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\hyph-pa.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1908637976\auto_open_controller.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-hub\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-notification-shared\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-notification-shared\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-tokenized-card\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\page_embed_script.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\_locales\hu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\_locales\ms\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\hyph-ga.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-mobile-hub\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-notification-shared\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\wallet-webui-227.bb2c3c84778e2589775f.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\_locales\af\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\_locales\eu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\Tokenized-Card\tokenized-card.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_215750006\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\hyph-cy.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\hyph-de-ch-1901.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\hyph-kn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\hyph-sk.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-ec\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-hub\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-hub\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-mobile-hub\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\msedge_url_fetcher_1500_898006272\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1908637976\shoppingfre.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-ec\cs\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-hub\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\json\i18n-shared-components\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_239795875\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_215750006\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\dasherSettingSchema.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1500_807694093\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping6044_1724764678\manifest.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zenmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npcap-0.9982-oem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap-7.80-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap-7.80-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedt32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5428	PING.EXE
7112	PING.EXE
4736	PING.EXE
2824	PING.EXE
5384	PING.EXE
6140	PING.EXE
2836	PING.EXE
5520	PING.EXE
3064	PING.EXE
1176	PING.EXE
6984	PING.EXE
4576	PING.EXE
2540	PING.EXE
3064	PING.EXE
3896	PING.EXE
5948	PING.EXE
2196	PING.EXE
5936	PING.EXE
6812	PING.EXE
6724	PING.EXE
1148	PING.EXE
6428	PING.EXE
60	PING.EXE
3416	PING.EXE
2216	PING.EXE
6580	PING.EXE
2140	PING.EXE
2244	PING.EXE
1748	PING.EXE
5636	PING.EXE
6064	PING.EXE
6488	PING.EXE
1664	PING.EXE
6224	PING.EXE
2624	PING.EXE
3844	PING.EXE
700	PING.EXE
7132	PING.EXE
2456	PING.EXE
4712	PING.EXE
1280	PING.EXE
4724	PING.EXE
3764	PING.EXE
7036	PING.EXE
4080	PING.EXE
1852	PING.EXE
2940	PING.EXE
2220	PING.EXE
5984	PING.EXE
2624	PING.EXE
2484	PING.EXE
4748	PING.EXE
5516	PING.EXE
7008	PING.EXE
6908	PING.EXE
6252	PING.EXE
6048	PING.EXE
2740	PING.EXE
3812	PING.EXE
6372	PING.EXE
6956	PING.EXE
5888	PING.EXE
7056	PING.EXE
3572	PING.EXE

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	NPFInstall.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876298461315881"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498259476-758239146-3116387113-1000\{6D9D21C5-58BF-4B5B-AE4D-FE26FBCEEBA4}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498259476-758239146-3116387113-1000\{F79C7A1F-B993-47BE-ACD9-A91AD92ABFC3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000_Classes\Local Settings	firefox.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2540	regedit.exe

Runs net.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
4752	PING.EXE
6216	PING.EXE
1472	PING.EXE
6736	PING.EXE
1636	PING.EXE
6480	PING.EXE
7016	PING.EXE
2540	PING.EXE
6372	PING.EXE
1432	PING.EXE
1868	PING.EXE
3604	PING.EXE
1168	PING.EXE
2872	PING.EXE
5660	PING.EXE
1772	PING.EXE
1476	PING.EXE
4872	PING.EXE
4716	PING.EXE
5348	PING.EXE
4416	PING.EXE
4304	PING.EXE
3532	PING.EXE
376	PING.EXE
4272	PING.EXE
3056	PING.EXE
2624	PING.EXE
2924	PING.EXE
4388	PING.EXE
60	PING.EXE
416	PING.EXE
6220	PING.EXE
1676	PING.EXE
6276	PING.EXE
5828	PING.EXE
2052	PING.EXE
5912	PING.EXE
7012	PING.EXE
6064	PING.EXE
444	PING.EXE
1996	PING.EXE
5936	PING.EXE
2824	PING.EXE
2064	PING.EXE
3808	PING.EXE
5736	PING.EXE
1036	PING.EXE
1852	PING.EXE
4720	PING.EXE
5576	PING.EXE
5708	PING.EXE
2940	PING.EXE
1852	PING.EXE
3712	PING.EXE
632	PING.EXE
5728	PING.EXE
2028	PING.EXE
416	PING.EXE
2940	PING.EXE
4844	PING.EXE
6008	PING.EXE
2672	PING.EXE
1176	PING.EXE
3732	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
6132	SCHTASKS.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
6044	msedge.exe
6044	msedge.exe
5276	powershell.exe
5276	powershell.exe
5276	powershell.exe
5080	msedge.exe
5080	msedge.exe
3352	nmap.exe
3352	nmap.exe
6820	nmap.exe
6820	nmap.exe
4236	nmap.exe
4236	nmap.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3484	OpenWith.exe

Suspicious behavior: LoadsDriver 27 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe
6044	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeSecurityPrivilege	2168	svchost.exe
Token: SeTakeOwnershipPrivilege	2168	svchost.exe
Token: 35	2168	svchost.exe
Token: SeDebugPrivilege	5276	powershell.exe
Token: SeAuditPrivilege	1040	svchost.exe
Token: SeSecurityPrivilege	1040	svchost.exe
Token: SeLoadDriverPrivilege	2204	NPFInstall.exe
Token: SeRestorePrivilege	5044	DrvInst.exe
Token: SeBackupPrivilege	5044	DrvInst.exe
Token: SeLoadDriverPrivilege	5044	DrvInst.exe
Token: SeLoadDriverPrivilege	5044	DrvInst.exe
Token: SeLoadDriverPrivilege	5044	DrvInst.exe
Token: SeDebugPrivilege	2020	firefox.exe
Token: SeDebugPrivilege	2020	firefox.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
6044	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
392	nmap-7.80-setup.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe
2020	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1972	1500	msedge.exe	81
PID 1500 wrote to memory of 1972	1500	msedge.exe	81
PID 1500 wrote to memory of 356	1500	msedge.exe	82
PID 1500 wrote to memory of 356	1500	msedge.exe	82
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 5208	1500	msedge.exe	83
PID 1500 wrote to memory of 1848	1500	msedge.exe	84
PID 1500 wrote to memory of 1848	1500	msedge.exe	84
PID 1500 wrote to memory of 1848	1500	msedge.exe	84
PID 1500 wrote to memory of 1848	1500	msedge.exe	84
PID 1500 wrote to memory of 1848	1500	msedge.exe	84
PID 1500 wrote to memory of 1848	1500	msedge.exe	84
PID 1500 wrote to memory of 1848	1500	msedge.exe	84
PID 1500 wrote to memory of 1848	1500	msedge.exe	84
PID 1500 wrote to memory of 1848	1500	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/RCode777/Windows-DDoS-Tools
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x290,0x7ffbecdff208,0x7ffbecdff214,0x7ffbecdff220
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1900,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  PID:356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2260,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2420,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3520,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3528,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4848,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4860,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5448,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5816,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5816,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5704,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5572,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6152,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6628,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6752,i,4951152130051214838,3962383712077506584,262144 --variations-seed-version --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:6044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x310,0x7ffbecdff208,0x7ffbecdff214,0x7ffbecdff220
    3⤵
    PID:2504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1764,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:3
    3⤵
    PID:5892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:2
    3⤵
    PID:5096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2556,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=2708 /prefetch:8
    3⤵
    PID:5404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4320,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:8
    3⤵
    PID:5680
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4352,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
    3⤵
    PID:640
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4352,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
    3⤵
    PID:5908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=604,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
    3⤵
    PID:6128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4632,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4676 /prefetch:8
    3⤵
    PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4640,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4712 /prefetch:8
    3⤵
    PID:4708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4156,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4744 /prefetch:8
    3⤵
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4752,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:8
    3⤵
    PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4744,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4956 /prefetch:8
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4708,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4952 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4104,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=3104 /prefetch:8
    3⤵
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4060,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:8
    3⤵
    PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1868,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=3768 /prefetch:8
    3⤵
    PID:4296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3984,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:8
    3⤵
    PID:5716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=4628,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4652 /prefetch:1
    3⤵
    PID:1176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=3996,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:1
    3⤵
    PID:2408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5444,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:8
    3⤵
    PID:4324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5496,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4736 /prefetch:8
    3⤵
    PID:5040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6020,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6304,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=6380 /prefetch:8
    3⤵
    PID:5856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6716,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:1
    3⤵
    PID:6848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=6620,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:1
    3⤵
    PID:6436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=6636,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=6604 /prefetch:1
    3⤵
    PID:3272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5960,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=6608 /prefetch:8
    3⤵
    PID:644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5176,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=1344 /prefetch:8
    3⤵
    PID:6832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5540,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:8
    3⤵
    PID:2740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=1344,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:1
    3⤵
    PID:6236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=6240,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:1
    3⤵
    PID:988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7084,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8
    3⤵
    PID:636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=6684,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:1
    3⤵
    PID:2352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=7060,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=7036 /prefetch:1
    3⤵
    PID:5996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=7204,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=7208 /prefetch:1
    3⤵
    PID:1984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=7324,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=6676 /prefetch:1
    3⤵
    PID:3288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=7316,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=7400 /prefetch:1
    3⤵
    PID:6828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=8012,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=8016 /prefetch:1
    3⤵
    PID:3508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5688,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:8
    3⤵
    PID:5936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5788,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:8
    3⤵
    PID:6964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7080,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=7488 /prefetch:8
    3⤵
    PID:6856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5676,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:8
    3⤵
    PID:6192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=4968,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:1
    3⤵
    PID:5532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5144,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:8
    3⤵
    PID:2960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5756,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=7128 /prefetch:8
    3⤵
    PID:384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=6076,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=7172 /prefetch:1
    3⤵
    PID:6772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=7764,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=7744 /prefetch:1
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=7484,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=7812 /prefetch:1
    3⤵
    PID:4748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=6072,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=8048 /prefetch:1
    3⤵
    PID:1180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=4748,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:1
    3⤵
    PID:6580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=8048,i,13444303197193420147,4147042702429964241,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:1
    3⤵
    PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:3320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Windows-DDoS-Tools-main\DDoS-Tools.bat" "
1⤵
PID:3012
- C:\Windows\system32\mode.com
  mode 110,40
  2⤵
  PID:3680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://nmap.org/dist/nmap-7.80-setup.exe -OutFile nmap-7.80-setup.exe"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5276
- C:\Users\Admin\Desktop\Windows-DDoS-Tools-main\nmap-7.80-setup.exe
  nmap-7.80-setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\nsoBDA.tmp\npcap-0.9982-oem.exe
    "C:\Users\Admin\AppData\Local\Temp\nsoBDA.tmp\npcap-0.9982-oem.exe" /winpcap_mode=no
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:5184
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nst2F9F.tmp\Insecure-SHA1.cer"
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:5932
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nst2F9F.tmp\Insecure-EV.cer"
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:560
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -c
      4⤵
      Executes dropped EXE
      PID:4592
    - - C:\Windows\SYSTEM32\pnputil.exe
        
        pnputil.exe -e
        5⤵
        
        PID:1116
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
      4⤵
      Executes dropped EXE
      PID:2188
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -i
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Checks SCSI registry key(s)
      PID:5656
  - - C:\Program Files\Npcap\NPFInstall.exe
      "C:\Program Files\Npcap\NPFInstall.exe" -n -il
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:2204
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh.exe interface show interface
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4796
  - - C:\Windows\SysWOW64\SCHTASKS.EXE
      SCHTASKS.EXE /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'C:\Program Files\Npcap\CheckStatus.bat'" /NP
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:6132
- - C:\Windows\SysWOW64\regedt32.exe
    regedt32 /S "C:\Users\Admin\AppData\Local\Temp\nsoBDA.tmp\nmap_performance.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1048
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\nsoBDA.tmp\nmap_performance.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2540

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3484
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Windows-DDoS-Tools-main\Unknown Doser.rar
  2⤵
  PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Unknown Doser.rar
1⤵
PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Windows-DDoS-Tools-main\DDoS-Tools.bat" "
1⤵
PID:3316
- C:\Windows\system32\mode.com
  mode 110,40
  2⤵
  PID:5956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1040
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{81375620-fb8b-174d-b2e0-2981b7c2163f}\NPCAP.inf" "9" "405306be3" "00000000000001CC" "WinSta0\Default" "00000000000001DC" "208" "C:\Program Files\Npcap"
  2⤵
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3328
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\netloop.inf" "netloop.inf:db04a16c8f2dc9fb:kmloop.ndi:10.0.19041.1:*msloop," "4632877cf" "0000000000000204"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:5044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:1044

C:\Users\Admin\Desktop\Windows-DDoS-Tools-main\nmap-7.80-setup.exe
"C:\Users\Admin\Desktop\Windows-DDoS-Tools-main\nmap-7.80-setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:392

C:\Program Files (x86)\Nmap\zenmap.exe
"C:\Program Files (x86)\Nmap\zenmap.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2272
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -T4 -A -v -oX c:\users\admin\appdata\local\temp\zenmap-zdcpbc.xml swewebstore.se
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:4492
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -T4 -A -v -oX c:\users\admin\appdata\local\temp\zenmap-7vc8gw.xml https://swewave.se/
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6820
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:6868
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -T4 -A -v -oX c:\users\admin\appdata\local\temp\zenmap-7cl0ym.xml https://swewave.se/
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4236
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:6684
- C:\Program Files (x86)\Nmap\nmap.exe
  nmap -sn -oX c:\users\admin\appdata\local\temp\zenmap-rfjqwl.xml https://swewave.se/
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5276
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" start npcap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5204
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start npcap
      4⤵
      System Location Discovery: System Language Discovery
      PID:6608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5412
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2016 -prefsLen 27100 -prefMapHandle 2020 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {71c49ebb-d438-4897-bbbd-856a36ed65e5} -parentPid 2020 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2020" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:1324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2468 -prefsLen 27136 -prefMapHandle 2472 -prefMapSize 270279 -ipcHandle 2476 -initialChannelId {4165281f-922b-4ce5-aaac-916a05e8a444} -parentPid 2020 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2020" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    - Checks processor information in registry
    PID:5192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3656 -prefsLen 27277 -prefMapHandle 3660 -prefMapSize 270279 -jsInitHandle 3664 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3672 -initialChannelId {4975dd9c-5b3f-4dc7-826c-42de3e8b8fa8} -parentPid 2020 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2020" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3824 -prefsLen 27277 -prefMapHandle 3828 -prefMapSize 270279 -ipcHandle 3932 -initialChannelId {b728d679-edff-4870-8e35-2eb6f3aeffb3} -parentPid 2020 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2020" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:3360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3044 -prefsLen 34776 -prefMapHandle 4508 -prefMapSize 270279 -jsInitHandle 4512 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4524 -initialChannelId {29579e89-6c59-4873-9169-378e94841503} -parentPid 2020 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2020" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:4280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4416 -prefsLen 35013 -prefMapHandle 4636 -prefMapSize 270279 -ipcHandle 5056 -initialChannelId {8afdbe3f-7f7b-443b-b061-1d15af489797} -parentPid 2020 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2020" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:6404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5288 -prefsLen 32952 -prefMapHandle 5292 -prefMapSize 270279 -jsInitHandle 5296 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5304 -initialChannelId {646be4c1-cd06-426d-9ad3-b1bdc78c83ce} -parentPid 2020 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2020" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:6420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5476 -prefsLen 32952 -prefMapHandle 5480 -prefMapSize 270279 -jsInitHandle 5484 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5492 -initialChannelId {a3e59077-091c-4287-b16f-b96540816f2e} -parentPid 2020 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2020" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:6432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5520 -prefsLen 32952 -prefMapHandle 5508 -prefMapSize 270279 -jsInitHandle 5608 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5684 -initialChannelId {1706bda3-99b5-4f0b-9b80-c48b055cb6f5} -parentPid 2020 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2020" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:6444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch
  2⤵
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5688

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x318 0x4b8
1⤵
PID:6228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Windows-DDoS-Tools-main\DDoS-Tools.bat" "
1⤵
PID:1600
- C:\Windows\system32\mode.com
  mode 110,40
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.virtualbox.org/wiki/Downloads
  2⤵
  PID:6908
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:2396
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6344
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6020
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5680
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6856
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6208
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:4736
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6612
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:1956
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - Runs ping.exe
  PID:1472
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:3404
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3844
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5396
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - Runs ping.exe
  PID:5912
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6772
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5184
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:4160
- C:\Windows\system32\PING.EXE
  ping localhost -n 2
  2⤵
  PID:1992
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:2028
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5824
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6936
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2824
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:4748
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6168
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6280
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:4868
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6752
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:1288
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:1456
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5104
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:1048
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:3572
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - Runs ping.exe
  PID:5828
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5080
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6428
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6384
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3972
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4456
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2448
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:1996
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5428
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3808
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3692
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6528
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5260
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4480
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:948
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5736
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3400
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4596
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4756
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6756
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6656
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2352
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3732
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2016
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5936
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1828
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3272
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2236
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4940
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:632
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6984
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4776
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4072
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5092
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4064
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1620
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6812
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6416
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2144
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7100
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5888
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6840
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7132
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6688
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1748
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:1036
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6060
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:7016
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5812
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7080
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7064
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3744
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6372
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1244
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4612
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4576
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5796
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5516
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3196
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3980
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7156
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6636
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6892
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5088
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5324
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4852
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1604
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6996
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6472
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2244
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3076
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5708
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4148
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2428
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:4416
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2780
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4772
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5980
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1176
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2280
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1816
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:60
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6844
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3212
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2440
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2676
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2948
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5616
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1656
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4264
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6408
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3416
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1772
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1988
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3524
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3340
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2700
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3092
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6256
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6076
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3812
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6740
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6856
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6448
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2488
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1800
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4732
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2540
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5840
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1472
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:540
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3288
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5380
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3064
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2216
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6948
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4548
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1868
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3480
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:6008
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4272
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4712
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5800
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3284
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2484
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1184
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2336
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2396
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3740
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4472
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6572
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5824
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5520
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6388
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:2824
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2220
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3040
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:376
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6280
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7092
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6488
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6752
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4300
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3252
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2636
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6336
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:700
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6048
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:2052
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2888
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:772
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6784
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6428
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6632
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4676
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5384
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7128
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2968
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:1852
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6232
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4412
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6580
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2684
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6876
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2648
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1532
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:3732
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2016
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2140
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4848
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3060
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6644
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2208
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1984
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6720
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5932
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:7012
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6812
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2468
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6400
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7140
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5304
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6724
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4468
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4724
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4084
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5884
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7072
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7080
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7064
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5916
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6372
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2436
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5636
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6664
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4332
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5516
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3180
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6088
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:1432
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3704
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3052
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3320
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1348
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6472
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2244
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3076
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:5708
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3764
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2360
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:416
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6080
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6392
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6584
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6104
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:2940
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2672
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4092
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6064
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6320
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1360
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2948
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4100
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1808
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3360
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4968
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3224
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6180
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4436
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:5660
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6344
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2432
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4012
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:6736
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5204
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3792
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:828
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1164
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1956
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2740
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5840
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1472
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:540
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3288
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5380
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3064
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2156
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4660
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:1868
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3480
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6008
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:4272
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6140
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5000
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5648
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5608
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2256
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:4304
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7088
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1992
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4088
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:560
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5824
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:2064
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6544
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3884
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:376
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:4720
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:668
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4180
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5612
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2552
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6972
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5104
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4516
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1912
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2052
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2028
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:772
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6784
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6796
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6384
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3972
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:3056
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4440
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1996
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5428
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:3808
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6220
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6808
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1980
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4480
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:948
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3400
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1776
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4412
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6580
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2684
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7008
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:5728
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5984
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4448
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6976
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4648
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1636
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:632
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6984
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5536
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6956
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5032
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5676
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4864
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7012
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6680
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7112
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2836
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5888
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4280
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7132
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5884
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7056
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7068
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7064
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5916
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4388
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1880
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4576
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1840
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5060
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4432
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3552
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7036
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5152
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6356
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6588
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:3604
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3628
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4404
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6996
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6716
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2624
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5672
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6592
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1176
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2280
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:1168
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1292
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6844
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:2672
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3312
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2676
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1312
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2364
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4076
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:3532
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4264
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2340
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2792
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:1772
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1988
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6180
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4436
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2700
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3092
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6608
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:444
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5680
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2804
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4736
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:2872
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6672
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1800
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6612
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4288
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2020
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1716
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1472
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:540
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3288
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4080
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4352
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6948
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5396
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3316
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5168
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:472
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:896
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6880
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5800
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2456
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2484
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4128
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4296
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3896
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7096
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3600
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3624
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4420
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5824
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5580
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6548
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3040
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6108
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:376
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:692
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1664
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4300
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6496
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7052
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1048
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6900
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1968
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3572
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2888
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1888
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:2028
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6640
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6800
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6032
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:544
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5600
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3036
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:1476
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1852
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6232
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:192
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5848
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6516
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6164
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:5736
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5036
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4908
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2284
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6756
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2648
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6868
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5400
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5936
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5488
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5984
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4448
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6976
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4788
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:1636
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:632
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6984
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5536
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6720
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4064
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2896
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3068
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6832
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7108
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2468
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6840
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1536
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1748
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6688
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4020
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6908
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7060
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7132
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5884
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7056
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:2924
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5500
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:992
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6372
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3380
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4576
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5012
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:6480
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7156
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:3712
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6684
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6460
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6444
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5324
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4852
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1604
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4844
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2252
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6464
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5832
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2360
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5948
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:556
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:852
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5740
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5980
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:416
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6592
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:1176
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2940
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:60
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6276
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6844
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2672
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6320
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1360
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6268
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3416
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6408
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3360
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4360
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1116
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1988
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6180
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4436
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2700
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6256
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:4752
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3812
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2408
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6448
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4708
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:384
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4736
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2872
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6672
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1800
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6612
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4288
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2020
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3404
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5552
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6600
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2276
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2216
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6252
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6928
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:424
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3468
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4424
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:7152
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5296
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4712
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6772
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5648
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5608
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2484
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4748
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5580
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6548
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3040
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4720
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:376
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6488
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1664
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4300
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6972
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6336
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4920
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6048
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5388
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1148
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4464
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:1888
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6396
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6192
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6800
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6032
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:544
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5600
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3036
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5260
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6528
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:6220
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2092
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:4872
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  - Runs ping.exe
  PID:5576
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:3348
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6072
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5444
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6876
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2684
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6656
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:2352
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:4044
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:5936
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -l 100 -n 1
  2⤵
  PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Windows-DDoS-Tools-main\DDoS-Tools.bat" "
1⤵
PID:3060
- C:\Windows\system32\mode.com
  mode 110,40
  2⤵
  PID:4840
- C:\Windows\system32\nslookup.exe
  nslookup https://swewave.se/
  2⤵
  PID:4576
- C:\Windows\system32\nslookup.exe
  nslookup https://swewave.se
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.grabify.link/
  2⤵
  PID:4712
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -n 1
  2⤵
  PID:5260
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6528
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:1776
- C:\Windows\system32\PING.EXE
  ping https://swewave.se/ -n 2
  2⤵
  - Runs ping.exe
  PID:6216
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5160
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:1780
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6264
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:1224
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6224
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:4972
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:656
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:116
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - Runs ping.exe
  PID:1676
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2196
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:1092
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - Runs ping.exe
  PID:4388
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5636
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:7064
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6372
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5060
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5044
- C:\Windows\system32\PING.EXE
  ping localhost -n 2
  2⤵
  PID:6892
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1280
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:1648
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6684
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5088
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:464
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6956
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - Runs ping.exe
  PID:4844
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - Runs ping.exe
  PID:4716
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:2780
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2624
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:4740
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:2956
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6584
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - Runs ping.exe
  PID:6276
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5440
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:5780
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  PID:6104
- C:\Windows\system32\PING.EXE
  ping localhost -n 1
  2⤵
  - Runs ping.exe
  PID:5348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery