0ec6e9301d962f0cd99773ce9b12ab20b217a9416b0e1f27927d6f3d367b37b4

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
Size

96KB
MD5

95493103ed99da8300c9f13cbb519dc0
SHA1

42d007691613ba22b1a7351b01fd4c32f4160549
SHA256

0ec6e9301d962f0cd99773ce9b12ab20b217a9416b0e1f27927d6f3d367b37b4
SHA512

55215a6a01327728de5d805a3446a64e089573f9699a80f91a227867d624f67819257bdd453b69682ef587d4dc9ea1e3f4f9820eb0728a7a1dbb8ad1ccc758a5
SSDEEP

1536:R7rA6XHngkD7aqcXv8wXhuZgT8Qs33vLOzGngTE3YDQcTjN8jFTXoQuk:OQn5D7XcT+3Qsnqzg2EINTM7uk

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2064	prunnet.exe
2692	prunnet.exe
2544	prunnet.exe
1036	prunnet.exe
1996	prunnet.exe
1384	prunnet.exe
2976	prunnet.exe
2632	prunnet.exe
1680	prunnet.exe
1720	prunnet.exe
2912	prunnet.exe
2452	prunnet.exe
2732	prunnet.exe
2668	prunnet.exe
2312	prunnet.exe
324	prunnet.exe
1972	prunnet.exe
2788	prunnet.exe
2836	prunnet.exe
1752	prunnet.exe
992	prunnet.exe
1484	prunnet.exe
2372	prunnet.exe
2812	prunnet.exe
1536	prunnet.exe
1928	prunnet.exe
2840	prunnet.exe
1456	prunnet.exe
1648	prunnet.exe
1264	prunnet.exe
3032	prunnet.exe
1764	prunnet.exe
2212	prunnet.exe
616	prunnet.exe
2828	prunnet.exe
2320	prunnet.exe
1864	prunnet.exe
2256	prunnet.exe
1228	prunnet.exe
2724	prunnet.exe
2952	prunnet.exe
2312	prunnet.exe
760	prunnet.exe
2520	prunnet.exe
2852	prunnet.exe
1384	prunnet.exe
2824	prunnet.exe
1500	prunnet.exe
968	prunnet.exe
1288	prunnet.exe
2876	prunnet.exe
2444	prunnet.exe
3064	prunnet.exe
2756	prunnet.exe
2848	prunnet.exe
1144	prunnet.exe
780	prunnet.exe
1996	prunnet.exe
280	prunnet.exe
2400	prunnet.exe
1652	prunnet.exe
2152	prunnet.exe
1028	prunnet.exe
2196	prunnet.exe

Loads dropped DLL 64 IoCs

pid	Process
3024	cmd.exe
3024	cmd.exe
2808	cmd.exe
2808	cmd.exe
2536	cmd.exe
2536	cmd.exe
872	cmd.exe
872	cmd.exe
776	cmd.exe
776	cmd.exe
1960	cmd.exe
1960	cmd.exe
2136	cmd.exe
2136	cmd.exe
2212	cmd.exe
2212	cmd.exe
2220	cmd.exe
2220	cmd.exe
1692	cmd.exe
1692	cmd.exe
2372	cmd.exe
2372	cmd.exe
1884	cmd.exe
1884	cmd.exe
2660	cmd.exe
2660	cmd.exe
2980	cmd.exe
2980	cmd.exe
2952	cmd.exe
2952	cmd.exe
1464	cmd.exe
1464	cmd.exe
2288	cmd.exe
2288	cmd.exe
328	cmd.exe
328	cmd.exe
1736	cmd.exe
1736	cmd.exe
2212	cmd.exe
2212	cmd.exe
2220	cmd.exe
2220	cmd.exe
644	cmd.exe
644	cmd.exe
1868	cmd.exe
1868	cmd.exe
2060	cmd.exe
2060	cmd.exe
2132	cmd.exe
2132	cmd.exe
2688	cmd.exe
2688	cmd.exe
2580	cmd.exe
2580	cmd.exe
2404	cmd.exe
2404	cmd.exe
1036	cmd.exe
1036	cmd.exe
1044	cmd.exe
1044	cmd.exe
328	cmd.exe
328	cmd.exe
1736	cmd.exe
1736	cmd.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\prunnet.exe	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\prunnet.exe	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1576	PING.EXE
952	cmd.exe
1520	PING.EXE
2860	cmd.exe
1596	PING.EXE
1764	PING.EXE
2636	PING.EXE
1532	PING.EXE
1864	PING.EXE
2688	cmd.exe
1732	PING.EXE
1904	PING.EXE
2752	PING.EXE
3052	cmd.exe
1572	cmd.exe
2748	PING.EXE
2652	PING.EXE
2820	cmd.exe
2584	PING.EXE
2456	cmd.exe
2796	cmd.exe
2476	PING.EXE
1868	PING.EXE
380	cmd.exe
1572	cmd.exe
2928	cmd.exe
408	PING.EXE
2568	cmd.exe
1044	cmd.exe
1448	PING.EXE
1716	PING.EXE
2904	cmd.exe
2960	cmd.exe
536	PING.EXE
1652	cmd.exe
1668	PING.EXE
2304	cmd.exe
2968	PING.EXE
2564	cmd.exe
2068	PING.EXE
2672	PING.EXE
1428	cmd.exe
2772	PING.EXE
1444	cmd.exe
1584	PING.EXE
1280	cmd.exe
2824	PING.EXE
2224	PING.EXE
2112	cmd.exe
2256	PING.EXE
2468	cmd.exe
2556	PING.EXE
1896	PING.EXE
2816	cmd.exe
2188	cmd.exe
2508	cmd.exe
2684	PING.EXE
2748	cmd.exe
1628	PING.EXE
2196	cmd.exe
2436	PING.EXE
1200	PING.EXE
2492	cmd.exe
2592	cmd.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
1720	PING.EXE
2224	PING.EXE
1492	PING.EXE
1460	PING.EXE
1288	PING.EXE
696	PING.EXE
1628	PING.EXE
1944	PING.EXE
708	PING.EXE
1868	PING.EXE
2128	PING.EXE
1876	PING.EXE
2476	PING.EXE
2672	PING.EXE
2408	PING.EXE
408	PING.EXE
2684	PING.EXE
1904	PING.EXE
1900	PING.EXE
2352	PING.EXE
2772	PING.EXE
1864	PING.EXE
2748	PING.EXE
2232	PING.EXE
2436	PING.EXE
2068	PING.EXE
2428	PING.EXE
2440	PING.EXE
1700	PING.EXE
1992	PING.EXE
2752	PING.EXE
2520	PING.EXE
2584	PING.EXE
536	PING.EXE
1332	PING.EXE
1728	PING.EXE
1200	PING.EXE
968	PING.EXE
1520	PING.EXE
2256	PING.EXE
2528	PING.EXE
576	PING.EXE
2636	PING.EXE
2556	PING.EXE
1732	PING.EXE
2796	PING.EXE
2968	PING.EXE
1764	PING.EXE
636	PING.EXE
1872	PING.EXE
2556	PING.EXE
2864	PING.EXE
1596	PING.EXE
2780	PING.EXE
2824	PING.EXE
3048	PING.EXE
1896	PING.EXE
1584	PING.EXE
2652	PING.EXE
2784	PING.EXE
1668	PING.EXE
1448	PING.EXE
1716	PING.EXE
1876	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
2064	prunnet.exe
2692	prunnet.exe
2544	prunnet.exe
1036	prunnet.exe
1996	prunnet.exe
1384	prunnet.exe
2976	prunnet.exe
2632	prunnet.exe
1680	prunnet.exe
1720	prunnet.exe
2912	prunnet.exe
2452	prunnet.exe
2732	prunnet.exe
2668	prunnet.exe
2312	prunnet.exe
324	prunnet.exe
1972	prunnet.exe
2788	prunnet.exe
2836	prunnet.exe
1752	prunnet.exe
992	prunnet.exe
1484	prunnet.exe
2372	prunnet.exe
2812	prunnet.exe
1536	prunnet.exe
1928	prunnet.exe
2840	prunnet.exe
1456	prunnet.exe
1648	prunnet.exe
1264	prunnet.exe
3032	prunnet.exe
1764	prunnet.exe
2212	prunnet.exe
616	prunnet.exe
2828	prunnet.exe
2320	prunnet.exe
1864	prunnet.exe
2256	prunnet.exe
1228	prunnet.exe
2724	prunnet.exe
2952	prunnet.exe
2312	prunnet.exe
760	prunnet.exe
2520	prunnet.exe
2852	prunnet.exe
1384	prunnet.exe
2824	prunnet.exe
1500	prunnet.exe
968	prunnet.exe
1288	prunnet.exe
2876	prunnet.exe
2444	prunnet.exe
3064	prunnet.exe
2756	prunnet.exe
2848	prunnet.exe
1144	prunnet.exe
780	prunnet.exe
1996	prunnet.exe
280	prunnet.exe
2400	prunnet.exe
1652	prunnet.exe
2152	prunnet.exe
1028	prunnet.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2860	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
2860	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
2860	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
2064	prunnet.exe
2064	prunnet.exe
2064	prunnet.exe
2692	prunnet.exe
2692	prunnet.exe
2692	prunnet.exe
2544	prunnet.exe
2544	prunnet.exe
2544	prunnet.exe
1036	prunnet.exe
1036	prunnet.exe
1036	prunnet.exe
1996	prunnet.exe
1996	prunnet.exe
1996	prunnet.exe
1384	prunnet.exe
1384	prunnet.exe
1384	prunnet.exe
2976	prunnet.exe
2976	prunnet.exe
2976	prunnet.exe
2632	prunnet.exe
2632	prunnet.exe
2632	prunnet.exe
1680	prunnet.exe
1680	prunnet.exe
1680	prunnet.exe
1720	prunnet.exe
1720	prunnet.exe
1720	prunnet.exe
2912	prunnet.exe
2912	prunnet.exe
2912	prunnet.exe
2452	prunnet.exe
2452	prunnet.exe
2452	prunnet.exe
2732	prunnet.exe
2732	prunnet.exe
2732	prunnet.exe
2668	prunnet.exe
2668	prunnet.exe
2668	prunnet.exe
2312	prunnet.exe
2312	prunnet.exe
2312	prunnet.exe
324	prunnet.exe
324	prunnet.exe
324	prunnet.exe
1972	prunnet.exe
1972	prunnet.exe
1972	prunnet.exe
2788	prunnet.exe
2788	prunnet.exe
2788	prunnet.exe
2836	prunnet.exe
2836	prunnet.exe
2836	prunnet.exe
1752	prunnet.exe
1752	prunnet.exe
1752	prunnet.exe
992	prunnet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 1620	2860	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe	30
PID 2860 wrote to memory of 1620	2860	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe	30
PID 2860 wrote to memory of 1620	2860	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe	30
PID 2860 wrote to memory of 1620	2860	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe	30
PID 1620 wrote to memory of 3048	1620	cmd.exe	32
PID 1620 wrote to memory of 3048	1620	cmd.exe	32
PID 1620 wrote to memory of 3048	1620	cmd.exe	32
PID 1620 wrote to memory of 3048	1620	cmd.exe	32
PID 1620 wrote to memory of 3024	1620	cmd.exe	34
PID 1620 wrote to memory of 3024	1620	cmd.exe	34
PID 1620 wrote to memory of 3024	1620	cmd.exe	34
PID 1620 wrote to memory of 3024	1620	cmd.exe	34
PID 3024 wrote to memory of 2064	3024	cmd.exe	35
PID 3024 wrote to memory of 2064	3024	cmd.exe	35
PID 3024 wrote to memory of 2064	3024	cmd.exe	35
PID 3024 wrote to memory of 2064	3024	cmd.exe	35
PID 2064 wrote to memory of 2748	2064	prunnet.exe	36
PID 2064 wrote to memory of 2748	2064	prunnet.exe	36
PID 2064 wrote to memory of 2748	2064	prunnet.exe	36
PID 2064 wrote to memory of 2748	2064	prunnet.exe	36
PID 2748 wrote to memory of 2672	2748	cmd.exe	38
PID 2748 wrote to memory of 2672	2748	cmd.exe	38
PID 2748 wrote to memory of 2672	2748	cmd.exe	38
PID 2748 wrote to memory of 2672	2748	cmd.exe	38
PID 2748 wrote to memory of 2808	2748	cmd.exe	39
PID 2748 wrote to memory of 2808	2748	cmd.exe	39
PID 2748 wrote to memory of 2808	2748	cmd.exe	39
PID 2748 wrote to memory of 2808	2748	cmd.exe	39
PID 2808 wrote to memory of 2692	2808	cmd.exe	40
PID 2808 wrote to memory of 2692	2808	cmd.exe	40
PID 2808 wrote to memory of 2692	2808	cmd.exe	40
PID 2808 wrote to memory of 2692	2808	cmd.exe	40
PID 2692 wrote to memory of 2840	2692	prunnet.exe	41
PID 2692 wrote to memory of 2840	2692	prunnet.exe	41
PID 2692 wrote to memory of 2840	2692	prunnet.exe	41
PID 2692 wrote to memory of 2840	2692	prunnet.exe	41
PID 2840 wrote to memory of 2796	2840	cmd.exe	43
PID 2840 wrote to memory of 2796	2840	cmd.exe	43
PID 2840 wrote to memory of 2796	2840	cmd.exe	43
PID 2840 wrote to memory of 2796	2840	cmd.exe	43
PID 2840 wrote to memory of 2536	2840	cmd.exe	44
PID 2840 wrote to memory of 2536	2840	cmd.exe	44
PID 2840 wrote to memory of 2536	2840	cmd.exe	44
PID 2840 wrote to memory of 2536	2840	cmd.exe	44
PID 2536 wrote to memory of 2544	2536	cmd.exe	45
PID 2536 wrote to memory of 2544	2536	cmd.exe	45
PID 2536 wrote to memory of 2544	2536	cmd.exe	45
PID 2536 wrote to memory of 2544	2536	cmd.exe	45
PID 2544 wrote to memory of 2960	2544	prunnet.exe	46
PID 2544 wrote to memory of 2960	2544	prunnet.exe	46
PID 2544 wrote to memory of 2960	2544	prunnet.exe	46
PID 2544 wrote to memory of 2960	2544	prunnet.exe	46
PID 2960 wrote to memory of 2968	2960	cmd.exe	48
PID 2960 wrote to memory of 2968	2960	cmd.exe	48
PID 2960 wrote to memory of 2968	2960	cmd.exe	48
PID 2960 wrote to memory of 2968	2960	cmd.exe	48
PID 2960 wrote to memory of 872	2960	cmd.exe	49
PID 2960 wrote to memory of 872	2960	cmd.exe	49
PID 2960 wrote to memory of 872	2960	cmd.exe	49
PID 2960 wrote to memory of 872	2960	cmd.exe	49
PID 872 wrote to memory of 1036	872	cmd.exe	50
PID 872 wrote to memory of 1036	872	cmd.exe	50
PID 872 wrote to memory of 1036	872	cmd.exe	50
PID 872 wrote to memory of 1036	872	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs ping.exe
    PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start "" "C:\Windows\system32\prunnet.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\prunnet.exe
      "C:\Windows\system32\prunnet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2672
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        9⤵
        Runs ping.exe
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        9⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        13⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        15⤵
        Runs ping.exe
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        16⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        17⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        18⤵
        Runs ping.exe
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        19⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        22⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        23⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        24⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        24⤵
        Loads dropped DLL
        
        PID:2212
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        25⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        27⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        27⤵
        Loads dropped DLL
        
        PID:2220
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        28⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        30⤵
        Runs ping.exe
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        30⤵
        Loads dropped DLL
        
        PID:1692
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        31⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        33⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        33⤵
        Loads dropped DLL
        
        PID:2372
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        34⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        36⤵
        Loads dropped DLL
        
        PID:1884
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        37⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        39⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        39⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        40⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        42⤵
        Loads dropped DLL
        
        PID:2980
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        43⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        45⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        48⤵
        Loads dropped DLL
        
        PID:1464
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        49⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        50⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        51⤵
        Loads dropped DLL
        
        PID:2288
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        52⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        54⤵
        Runs ping.exe
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        54⤵
        Loads dropped DLL
        
        PID:328
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        55⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        56⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        57⤵
        Runs ping.exe
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        57⤵
        Loads dropped DLL
        
        PID:1736
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        58⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        59⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        60⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        60⤵
        Loads dropped DLL
        
        PID:2212
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        61⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        62⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        63⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        63⤵
        Loads dropped DLL
        
        PID:2220
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        64⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        65⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        66⤵
        Runs ping.exe
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        66⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        67⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        69⤵
        Runs ping.exe
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        69⤵
        Loads dropped DLL
        
        PID:1868
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        70⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        71⤵
        
        PID:896
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        72⤵
        Runs ping.exe
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        72⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        73⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        75⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        75⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        76⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        77⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        78⤵
        Runs ping.exe
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        78⤵
        Loads dropped DLL
        
        PID:2688
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        79⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        80⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        81⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        81⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        82⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        83⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        84⤵
        Runs ping.exe
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        84⤵
        Loads dropped DLL
        
        PID:2404
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        85⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        86⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        87⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        87⤵
        Loads dropped DLL
        
        PID:1036
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        88⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        89⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        90⤵
        Runs ping.exe
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        90⤵
        Loads dropped DLL
        
        PID:1044
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        91⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        92⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        93⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        93⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        94⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        95⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        96⤵
        Runs ping.exe
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        96⤵
        Loads dropped DLL
        
        PID:1736
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        97⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        98⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        99⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        99⤵
        
        PID:408
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        100⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        101⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        102⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        103⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        104⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        105⤵
        Runs ping.exe
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        105⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        106⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        107⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        108⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        108⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        109⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        110⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        111⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        111⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        112⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        113⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        114⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        114⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        115⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        116⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        117⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        117⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        118⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        119⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        120⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        120⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        121⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        123⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        123⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        124⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        126⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        126⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        127⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        128⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        129⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        129⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        130⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        131⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        132⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        132⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        133⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        134⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        135⤵
        Runs ping.exe
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        135⤵
        
        PID:280
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        136⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        137⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        138⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        138⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        139⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        140⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        141⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        141⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        142⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        144⤵
        Runs ping.exe
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        144⤵
        
        PID:700
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        145⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        146⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        147⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        147⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        148⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        149⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        150⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        150⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        151⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        152⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        153⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        154⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        156⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        156⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        157⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        158⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        159⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        159⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        160⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        161⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        162⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        163⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        164⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        165⤵
        Runs ping.exe
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        166⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        167⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        168⤵
        Runs ping.exe
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        168⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        169⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        170⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        171⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        171⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        172⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        173⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        174⤵
        Runs ping.exe
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        174⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        175⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        176⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        177⤵
        Runs ping.exe
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        177⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        178⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        179⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        180⤵
        Runs ping.exe
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        181⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        182⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        183⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        183⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        184⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        185⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        186⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        187⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        189⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        189⤵
        
        PID:568
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        190⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        192⤵
        Runs ping.exe
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        193⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        194⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        195⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        195⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        196⤵
        Checks whether UAC is enabled
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        197⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        198⤵
        Runs ping.exe
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        198⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        199⤵
        Checks whether UAC is enabled
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        200⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        201⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        201⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        202⤵
        Checks whether UAC is enabled
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        203⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        204⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        204⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        205⤵
        Checks whether UAC is enabled
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        207⤵
        Runs ping.exe
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        208⤵
        Checks whether UAC is enabled
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        209⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        210⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\prunnet.exe

Filesize
96KB

MD5
95493103ed99da8300c9f13cbb519dc0

SHA1
42d007691613ba22b1a7351b01fd4c32f4160549

SHA256
0ec6e9301d962f0cd99773ce9b12ab20b217a9416b0e1f27927d6f3d367b37b4

SHA512
55215a6a01327728de5d805a3446a64e089573f9699a80f91a227867d624f67819257bdd453b69682ef587d4dc9ea1e3f4f9820eb0728a7a1dbb8ad1ccc758a5

Download Submit
memory/280-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/324-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/408-212-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/760-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/776-42-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/872-33-0x0000000000160000-0x000000000018F000-memory.dmp

Filesize
188KB

Download
memory/968-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-267-0x0000000000170000-0x000000000019F000-memory.dmp

Filesize
188KB

Download
memory/1144-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-193-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-282-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1680-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1884-97-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1972-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2112-291-0x0000000077020000-0x000000007711A000-memory.dmp

Filesize
1000KB

Download
memory/2112-290-0x0000000076F00000-0x000000007701F000-memory.dmp

Filesize
1.1MB

Download
memory/2136-57-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/2212-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-66-0x0000000000170000-0x000000000019F000-memory.dmp

Filesize
188KB

Download
memory/2212-119-0x0000000000170000-0x000000000019F000-memory.dmp

Filesize
188KB

Download
memory/2280-308-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/2312-121-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2312-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2312-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-195-0x0000000000180000-0x00000000001AF000-memory.dmp

Filesize
188KB

Download
memory/2404-228-0x0000000000180000-0x00000000001AF000-memory.dmp

Filesize
188KB

Download
memory/2404-194-0x0000000000180000-0x00000000001AF000-memory.dmp

Filesize
188KB

Download
memory/2444-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2444-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-188-0x00000000000F0000-0x000000000011F000-memory.dmp

Filesize
188KB

Download
memory/2580-187-0x00000000000F0000-0x000000000011F000-memory.dmp

Filesize
188KB

Download
memory/2632-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-118-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2952-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-247-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2976-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-336-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download