0e38763afc44da863332dd3a156e2b82db5c1361353f30b0a133e82e669ec1e9

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 04:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe
Size

108KB
MD5

3bf4d8c8bc4216ec9c95f89eb03d833e
SHA1

7764794a8cea89ef0a1b9eca48ce47a207304bad
SHA256

0e38763afc44da863332dd3a156e2b82db5c1361353f30b0a133e82e669ec1e9
SHA512

d0575a645b3712c6a4a41f8b0e5941d2073d12e943ad1e87ae71e111c6dc2a0830861190326338768e83a12a24a84990ceeacc4bfbb103183c4535b47b5a859b
SSDEEP

768:U7rgnvQjXcTmAaigvO2B/fJPSysbX2uraeVE65IJnur1v2j7rgnvQjXsU1DYPtiG:U7rA6Xizy8hVrI05v2j7rA6XsU6tKf

Score

7^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2740	net.net
2924	net.net
2596	net.net
336	net.net
1612	net.net
1684	net.net
2352	net.net
2788	net.net
2904	net.net
2248	net.net
2488	net.net
1252	net.net
2092	net.net
2760	net.net
2628	net.net
564	net.net
532	net.net
2012	net.net
1028	net.net
1516	net.net
1436	net.net
2980	net.net
372	net.net
1432	net.net
1500	net.net
1528	net.net
2840	net.net
2656	net.net
2856	net.net
564	net.net
1060	net.net
2896	net.net
2188	net.net
1560	net.net
1120	net.net
872	net.net
2988	net.net
1668	net.net
3048	net.net
2516	net.net
2816	net.net
2864	net.net
2736	net.net
2868	net.net
1940	net.net
816	net.net
1288	net.net
404	net.net
1696	net.net
112	net.net
928	net.net
3028	net.net
1380	net.net
1252	net.net
2212	net.net
2808	net.net
2996	net.net
480	net.net
1268	net.net
1912	net.net
600	net.net
2184	net.net
1108	net.net
1408	net.net

Loads dropped DLL 64 IoCs

pid	Process
2708	cmd.exe
2708	cmd.exe
2104	cmd.exe
2104	cmd.exe
2600	cmd.exe
2600	cmd.exe
684	cmd.exe
684	cmd.exe
592	cmd.exe
592	cmd.exe
1868	cmd.exe
1868	cmd.exe
1028	cmd.exe
1028	cmd.exe
2400	cmd.exe
2400	cmd.exe
624	cmd.exe
624	cmd.exe
2980	cmd.exe
2980	cmd.exe
1924	cmd.exe
1924	cmd.exe
2512	cmd.exe
2512	cmd.exe
3000	cmd.exe
3000	cmd.exe
2716	cmd.exe
2716	cmd.exe
2620	cmd.exe
2620	cmd.exe
2644	cmd.exe
2644	cmd.exe
1600	cmd.exe
1600	cmd.exe
1868	cmd.exe
1868	cmd.exe
2120	cmd.exe
2120	cmd.exe
2956	cmd.exe
2956	cmd.exe
1308	cmd.exe
1308	cmd.exe
1240	cmd.exe
1240	cmd.exe
1608	cmd.exe
1608	cmd.exe
1896	cmd.exe
1896	cmd.exe
1864	cmd.exe
1864	cmd.exe
2408	cmd.exe
2408	cmd.exe
2796	cmd.exe
2796	cmd.exe
2648	cmd.exe
2648	cmd.exe
760	cmd.exe
760	cmd.exe
2652	cmd.exe
2652	cmd.exe
1728	cmd.exe
1728	cmd.exe
2892	cmd.exe
2892	cmd.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	net.net

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\net.net	3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net.net	3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
2092	PING.EXE
2732	PING.EXE
2784	PING.EXE
2476	PING.EXE
1976	PING.EXE
2196	PING.EXE
1528	PING.EXE
2036	PING.EXE
2396	PING.EXE
532	PING.EXE
960	PING.EXE
1668	PING.EXE
992	PING.EXE
2840	PING.EXE
3012	PING.EXE
2408	PING.EXE
2840	PING.EXE
2852	PING.EXE
956	PING.EXE
2100	PING.EXE
1628	PING.EXE
1952	PING.EXE
1940	PING.EXE
2604	PING.EXE
1180	PING.EXE
1800	PING.EXE
1232	PING.EXE
2100	PING.EXE
2008	PING.EXE
2156	PING.EXE
2204	PING.EXE
2504	PING.EXE
2608	PING.EXE
2760	PING.EXE
1568	PING.EXE
2968	PING.EXE
1948	PING.EXE
1604	PING.EXE
1232	PING.EXE
2640	PING.EXE
1328	PING.EXE
2492	PING.EXE
2820	PING.EXE
340	PING.EXE
2264	PING.EXE
2032	PING.EXE
2560	PING.EXE
992	PING.EXE
884	PING.EXE
2144	PING.EXE
2532	PING.EXE
2644	PING.EXE
1308	PING.EXE
1372	PING.EXE
1296	PING.EXE
2948	PING.EXE
2272	PING.EXE
1248	PING.EXE
620	PING.EXE
1240	PING.EXE
836	PING.EXE
2164	PING.EXE
1596	PING.EXE
1736	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe
2740	net.net
2924	net.net
2596	net.net
336	net.net
1612	net.net
1684	net.net
2352	net.net
2788	net.net
2904	net.net
2248	net.net
2488	net.net
2092	net.net
2760	net.net
2628	net.net
564	net.net
532	net.net
2012	net.net
1028	net.net
1516	net.net
1436	net.net
2980	net.net
372	net.net
1432	net.net
1500	net.net
1528	net.net
2840	net.net
2656	net.net
2856	net.net
564	net.net
1060	net.net
2896	net.net
2188	net.net
1560	net.net
1120	net.net
872	net.net
2988	net.net
1668	net.net
3048	net.net
2516	net.net
2816	net.net
2864	net.net
2736	net.net
2868	net.net
1940	net.net
816	net.net
1288	net.net
404	net.net
1696	net.net
112	net.net
928	net.net
3028	net.net
1380	net.net
2212	net.net
2808	net.net
2996	net.net
480	net.net
1268	net.net
1912	net.net
600	net.net
2184	net.net
1108	net.net
1408	net.net
920	net.net

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2084	3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe
2084	3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe
2084	3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe
2740	net.net
2740	net.net
2740	net.net
2924	net.net
2924	net.net
2924	net.net
2596	net.net
2596	net.net
2596	net.net
336	net.net
336	net.net
336	net.net
1612	net.net
1612	net.net
1612	net.net
1684	net.net
1684	net.net
1684	net.net
2352	net.net
2352	net.net
2352	net.net
2788	net.net
2788	net.net
2788	net.net
2904	net.net
2904	net.net
2904	net.net
2248	net.net
2248	net.net
2248	net.net
2488	net.net
2488	net.net
2488	net.net
2092	net.net
2092	net.net
2092	net.net
2760	net.net
2760	net.net
2760	net.net
2628	net.net
2628	net.net
2628	net.net
564	net.net
564	net.net
564	net.net
532	net.net
532	net.net
532	net.net
2012	net.net
2012	net.net
2012	net.net
1028	net.net
1028	net.net
1028	net.net
1516	net.net
1516	net.net
1516	net.net
1436	net.net
1436	net.net
1436	net.net
2980	net.net

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1212	2084	3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe	30
PID 2084 wrote to memory of 1212	2084	3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe	30
PID 2084 wrote to memory of 1212	2084	3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe	30
PID 2084 wrote to memory of 1212	2084	3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe	30
PID 1212 wrote to memory of 2092	1212	cmd.exe	32
PID 1212 wrote to memory of 2092	1212	cmd.exe	32
PID 1212 wrote to memory of 2092	1212	cmd.exe	32
PID 1212 wrote to memory of 2092	1212	cmd.exe	32
PID 1212 wrote to memory of 2708	1212	cmd.exe	33
PID 1212 wrote to memory of 2708	1212	cmd.exe	33
PID 1212 wrote to memory of 2708	1212	cmd.exe	33
PID 1212 wrote to memory of 2708	1212	cmd.exe	33
PID 2708 wrote to memory of 2740	2708	cmd.exe	34
PID 2708 wrote to memory of 2740	2708	cmd.exe	34
PID 2708 wrote to memory of 2740	2708	cmd.exe	34
PID 2708 wrote to memory of 2740	2708	cmd.exe	34
PID 2740 wrote to memory of 2864	2740	net.net	35
PID 2740 wrote to memory of 2864	2740	net.net	35
PID 2740 wrote to memory of 2864	2740	net.net	35
PID 2740 wrote to memory of 2864	2740	net.net	35
PID 2864 wrote to memory of 2732	2864	cmd.exe	37
PID 2864 wrote to memory of 2732	2864	cmd.exe	37
PID 2864 wrote to memory of 2732	2864	cmd.exe	37
PID 2864 wrote to memory of 2732	2864	cmd.exe	37
PID 2864 wrote to memory of 2104	2864	cmd.exe	38
PID 2864 wrote to memory of 2104	2864	cmd.exe	38
PID 2864 wrote to memory of 2104	2864	cmd.exe	38
PID 2864 wrote to memory of 2104	2864	cmd.exe	38
PID 2104 wrote to memory of 2924	2104	cmd.exe	39
PID 2104 wrote to memory of 2924	2104	cmd.exe	39
PID 2104 wrote to memory of 2924	2104	cmd.exe	39
PID 2104 wrote to memory of 2924	2104	cmd.exe	39
PID 2924 wrote to memory of 2884	2924	net.net	40
PID 2924 wrote to memory of 2884	2924	net.net	40
PID 2924 wrote to memory of 2884	2924	net.net	40
PID 2924 wrote to memory of 2884	2924	net.net	40
PID 2884 wrote to memory of 2784	2884	cmd.exe	42
PID 2884 wrote to memory of 2784	2884	cmd.exe	42
PID 2884 wrote to memory of 2784	2884	cmd.exe	42
PID 2884 wrote to memory of 2784	2884	cmd.exe	42
PID 2884 wrote to memory of 2600	2884	cmd.exe	43
PID 2884 wrote to memory of 2600	2884	cmd.exe	43
PID 2884 wrote to memory of 2600	2884	cmd.exe	43
PID 2884 wrote to memory of 2600	2884	cmd.exe	43
PID 2600 wrote to memory of 2596	2600	cmd.exe	44
PID 2600 wrote to memory of 2596	2600	cmd.exe	44
PID 2600 wrote to memory of 2596	2600	cmd.exe	44
PID 2600 wrote to memory of 2596	2600	cmd.exe	44
PID 2596 wrote to memory of 3024	2596	net.net	45
PID 2596 wrote to memory of 3024	2596	net.net	45
PID 2596 wrote to memory of 3024	2596	net.net	45
PID 2596 wrote to memory of 3024	2596	net.net	45
PID 3024 wrote to memory of 2644	3024	cmd.exe	47
PID 3024 wrote to memory of 2644	3024	cmd.exe	47
PID 3024 wrote to memory of 2644	3024	cmd.exe	47
PID 3024 wrote to memory of 2644	3024	cmd.exe	47
PID 3024 wrote to memory of 684	3024	cmd.exe	48
PID 3024 wrote to memory of 684	3024	cmd.exe	48
PID 3024 wrote to memory of 684	3024	cmd.exe	48
PID 3024 wrote to memory of 684	3024	cmd.exe	48
PID 684 wrote to memory of 336	684	cmd.exe	49
PID 684 wrote to memory of 336	684	cmd.exe	49
PID 684 wrote to memory of 336	684	cmd.exe	49
PID 684 wrote to memory of 336	684	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3bf4d8c8bc4216ec9c95f89eb03d833e_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start "" "C:\Windows\system32\net.net"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\net.net
      "C:\Windows\system32\net.net"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        6⤵
        Runs ping.exe
        
        PID:2732
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        9⤵
        Runs ping.exe
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        9⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        12⤵
        Runs ping.exe
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        13⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        14⤵
        
        PID:864
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        15⤵
        Runs ping.exe
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        15⤵
        Loads dropped DLL
        
        PID:592
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        16⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        17⤵
        
        PID:600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        18⤵
        Runs ping.exe
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        18⤵
        Loads dropped DLL
        
        PID:1868
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        19⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        20⤵
        
        PID:568
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        21⤵
        Runs ping.exe
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        21⤵
        Loads dropped DLL
        
        PID:1028
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        22⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        23⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        24⤵
        Runs ping.exe
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        24⤵
        Loads dropped DLL
        
        PID:2400
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        25⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        26⤵
        
        PID:696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        27⤵
        Runs ping.exe
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        27⤵
        Loads dropped DLL
        
        PID:624
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        28⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        29⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        30⤵
        Runs ping.exe
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        30⤵
        Loads dropped DLL
        
        PID:2980
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        31⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        32⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        33⤵
        Runs ping.exe
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        33⤵
        Loads dropped DLL
        
        PID:1924
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        34⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        35⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        36⤵
        Runs ping.exe
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        36⤵
        Loads dropped DLL
        
        PID:2512
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        37⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        38⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        39⤵
        Runs ping.exe
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        39⤵
        Loads dropped DLL
        
        PID:3000
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        40⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        41⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        42⤵
        Runs ping.exe
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        42⤵
        Loads dropped DLL
        
        PID:2716
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        43⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        44⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        45⤵
        Runs ping.exe
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        45⤵
        Loads dropped DLL
        
        PID:2620
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        47⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        48⤵
        Runs ping.exe
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        48⤵
        Loads dropped DLL
        
        PID:2644
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        49⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        50⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        51⤵
        Runs ping.exe
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        51⤵
        Loads dropped DLL
        
        PID:1600
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        52⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        53⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        54⤵
        Runs ping.exe
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        54⤵
        Loads dropped DLL
        
        PID:1868
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        55⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        56⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        57⤵
        Runs ping.exe
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        57⤵
        Loads dropped DLL
        
        PID:2120
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        58⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        59⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        60⤵
        Runs ping.exe
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        60⤵
        Loads dropped DLL
        
        PID:2956
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        61⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        62⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        63⤵
        Runs ping.exe
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        63⤵
        Loads dropped DLL
        
        PID:1308
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        64⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        65⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        66⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        66⤵
        Loads dropped DLL
        
        PID:1240
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        67⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        68⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        69⤵
        Runs ping.exe
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        69⤵
        Loads dropped DLL
        
        PID:1608
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        70⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        71⤵
        
        PID:880
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        72⤵
        Runs ping.exe
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        72⤵
        Loads dropped DLL
        
        PID:1896
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        73⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        74⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        75⤵
        Runs ping.exe
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        75⤵
        Loads dropped DLL
        
        PID:1864
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        76⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        77⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        78⤵
        Runs ping.exe
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        78⤵
        Loads dropped DLL
        
        PID:2408
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        79⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        80⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        81⤵
        Runs ping.exe
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        81⤵
        Loads dropped DLL
        
        PID:2796
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        82⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        83⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        84⤵
        Runs ping.exe
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        84⤵
        Loads dropped DLL
        
        PID:2648
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        85⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        86⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        87⤵
        Runs ping.exe
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        87⤵
        Loads dropped DLL
        
        PID:760
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        88⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        89⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        90⤵
        Runs ping.exe
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        90⤵
        Loads dropped DLL
        
        PID:2652
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        91⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        92⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        93⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        93⤵
        Loads dropped DLL
        
        PID:1728
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        94⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        95⤵
        
        PID:532
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        96⤵
        Runs ping.exe
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        96⤵
        Loads dropped DLL
        
        PID:2892
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        97⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        98⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        99⤵
        Runs ping.exe
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        99⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        100⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        101⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        102⤵
        Runs ping.exe
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        102⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        103⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        104⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        105⤵
        Runs ping.exe
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        105⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        106⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        107⤵
        
        PID:660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        108⤵
        Runs ping.exe
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        108⤵
        
        PID:908
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        109⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        110⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        111⤵
        Runs ping.exe
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        111⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        112⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        113⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        114⤵
        Runs ping.exe
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        114⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        115⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        116⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        117⤵
        Runs ping.exe
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        117⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        118⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        119⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        120⤵
        Runs ping.exe
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        120⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        121⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        122⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        123⤵
        Runs ping.exe
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        123⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        124⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        125⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        126⤵
        Runs ping.exe
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        126⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        127⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        128⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        129⤵
        Runs ping.exe
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        129⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        130⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        131⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        132⤵
        Runs ping.exe
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        132⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        133⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        134⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        135⤵
        Runs ping.exe
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        135⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        136⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        137⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        138⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        138⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        139⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        140⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        141⤵
        Runs ping.exe
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        141⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        142⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        143⤵
        
        PID:840
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        144⤵
        Runs ping.exe
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        144⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        145⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        146⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        147⤵
        Runs ping.exe
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        147⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        148⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        149⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        150⤵
        Runs ping.exe
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        150⤵
        
        PID:236
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        151⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        152⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        153⤵
        Runs ping.exe
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        153⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        154⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        155⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        156⤵
        Runs ping.exe
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        156⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        157⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        158⤵
        
        PID:340
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        159⤵
        Runs ping.exe
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        159⤵
        
        PID:588
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        160⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        161⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        162⤵
        Runs ping.exe
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        162⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        163⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        164⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        165⤵
        Runs ping.exe
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        165⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        166⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        167⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        168⤵
        Runs ping.exe
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        168⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        169⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        170⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        171⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        171⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        172⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        173⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        174⤵
        Runs ping.exe
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        174⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        175⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        176⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        177⤵
        Runs ping.exe
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        177⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        178⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        179⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        180⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        180⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        181⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        182⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        183⤵
        Runs ping.exe
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        183⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        184⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        185⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        186⤵
        Runs ping.exe
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        186⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        187⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        188⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        189⤵
        Runs ping.exe
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        189⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        190⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        191⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        192⤵
        Runs ping.exe
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        192⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        193⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        194⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        195⤵
        Runs ping.exe
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        195⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        196⤵
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        197⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        198⤵
        Runs ping.exe
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        198⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        199⤵
        Checks whether UAC is enabled
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        200⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        201⤵
        Runs ping.exe
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        201⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        202⤵
        Checks whether UAC is enabled
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        203⤵
        
        PID:880
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        204⤵
        Runs ping.exe
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        204⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        205⤵
        Checks whether UAC is enabled
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        206⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        207⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\net.net"
        207⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\net.net
        
        "C:\Windows\system32\net.net"
        208⤵
        Checks whether UAC is enabled
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\net.net" >> NUL
        209⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        210⤵
        Runs ping.exe
        
        PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\net.net

Filesize
108KB

MD5
3bf4d8c8bc4216ec9c95f89eb03d833e

SHA1
7764794a8cea89ef0a1b9eca48ce47a207304bad

SHA256
0e38763afc44da863332dd3a156e2b82db5c1361353f30b0a133e82e669ec1e9

SHA512
d0575a645b3712c6a4a41f8b0e5941d2073d12e943ad1e87ae71e111c6dc2a0830861190326338768e83a12a24a84990ceeacc4bfbb103183c4535b47b5a859b

Download Submit
memory/112-213-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/336-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/336-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/532-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/564-106-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/872-173-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/928-216-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1028-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1108-243-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1252-82-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1288-203-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1288-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1380-221-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1436-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1500-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1516-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1612-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1668-180-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1684-46-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1696-210-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1696-209-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1912-236-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1940-198-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2012-120-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2084-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2084-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2092-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2192-252-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2248-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2488-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-185-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2596-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2600-23-0x00000000001A0000-0x00000000001BB000-memory.dmp

Filesize
108KB

Download
memory/2600-24-0x00000000001A0000-0x00000000001BB000-memory.dmp

Filesize
108KB

Download
memory/2652-157-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/2656-154-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2736-193-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2760-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2788-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-188-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2896-164-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2904-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2904-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2924-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-177-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3000-84-0x0000000000130000-0x000000000014B000-memory.dmp

Filesize
108KB

Download