0ec6e9301d962f0cd99773ce9b12ab20b217a9416b0e1f27927d6f3d367b37b4

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
Size

96KB
MD5

95493103ed99da8300c9f13cbb519dc0
SHA1

42d007691613ba22b1a7351b01fd4c32f4160549
SHA256

0ec6e9301d962f0cd99773ce9b12ab20b217a9416b0e1f27927d6f3d367b37b4
SHA512

55215a6a01327728de5d805a3446a64e089573f9699a80f91a227867d624f67819257bdd453b69682ef587d4dc9ea1e3f4f9820eb0728a7a1dbb8ad1ccc758a5
SSDEEP

1536:R7rA6XHngkD7aqcXv8wXhuZgT8Qs33vLOzGngTE3YDQcTjN8jFTXoQuk:OQn5D7XcT+3Qsnqzg2EINTM7uk

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 62 IoCs

pid	Process
4280	prunnet.exe
1136	prunnet.exe
4368	prunnet.exe
4240	prunnet.exe
4576	prunnet.exe
4704	prunnet.exe
2204	prunnet.exe
2132	prunnet.exe
3704	prunnet.exe
1284	prunnet.exe
1636	prunnet.exe
1624	prunnet.exe
396	prunnet.exe
4564	prunnet.exe
1136	prunnet.exe
2408	prunnet.exe
2204	prunnet.exe
3256	prunnet.exe
4468	prunnet.exe
3224	prunnet.exe
4312	prunnet.exe
336	prunnet.exe
3812	prunnet.exe
2528	prunnet.exe
3952	prunnet.exe
60	prunnet.exe
2472	prunnet.exe
3256	prunnet.exe
3880	prunnet.exe
1632	prunnet.exe
4368	prunnet.exe
4012	prunnet.exe
336	prunnet.exe
3232	prunnet.exe
3704	prunnet.exe
1188	prunnet.exe
1888	prunnet.exe
1616	prunnet.exe
3384	prunnet.exe
1816	prunnet.exe
3552	prunnet.exe
4060	prunnet.exe
428	prunnet.exe
3680	prunnet.exe
2296	prunnet.exe
3212	prunnet.exe
3544	prunnet.exe
3588	prunnet.exe
3960	prunnet.exe
4664	prunnet.exe
2468	prunnet.exe
2788	prunnet.exe
3612	prunnet.exe
556	prunnet.exe
4512	prunnet.exe
1396	prunnet.exe
4400	prunnet.exe
3628	prunnet.exe
1016	prunnet.exe
4344	prunnet.exe
2676	prunnet.exe
4352	prunnet.exe

Checks whether UAC is enabled 1 TTPs 63 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	prunnet.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\prunnet.exe	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\prunnet.exe	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prunnet.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3020	PING.EXE
4188	PING.EXE
2628	cmd.exe
5020	cmd.exe
1376	PING.EXE
3356	PING.EXE
1372	cmd.exe
2664	cmd.exe
3364	cmd.exe
4136	PING.EXE
2280	cmd.exe
4280	cmd.exe
2268	PING.EXE
2744	PING.EXE
1676	cmd.exe
2796	PING.EXE
4212	PING.EXE
652	PING.EXE
3108	cmd.exe
2204	cmd.exe
2588	cmd.exe
3304	cmd.exe
4332	cmd.exe
4704	PING.EXE
3520	PING.EXE
1396	PING.EXE
3356	cmd.exe
4444	PING.EXE
4188	cmd.exe
2180	PING.EXE
744	PING.EXE
1064	PING.EXE
1500	cmd.exe
3024	cmd.exe
4492	cmd.exe
1792	cmd.exe
3264	PING.EXE
3528	cmd.exe
4416	cmd.exe
4140	cmd.exe
4112	PING.EXE
732	PING.EXE
1072	PING.EXE
1820	PING.EXE
2536	PING.EXE
2108	cmd.exe
2856	PING.EXE
1176	PING.EXE
100	PING.EXE
4188	cmd.exe
2404	cmd.exe
620	PING.EXE
2568	PING.EXE
2380	PING.EXE
4528	cmd.exe
4576	cmd.exe
2472	cmd.exe
3020	cmd.exe
2368	cmd.exe
3324	PING.EXE
4172	cmd.exe
3024	PING.EXE
5008	cmd.exe
860	PING.EXE

Runs ping.exe 1 TTPs 62 IoCs

Remote System Discovery

T1018

pid	Process
1648	PING.EXE
3028	PING.EXE
2540	PING.EXE
2536	PING.EXE
3264	PING.EXE
1680	PING.EXE
396	PING.EXE
3356	PING.EXE
732	PING.EXE
652	PING.EXE
4956	PING.EXE
116	PING.EXE
180	PING.EXE
2796	PING.EXE
1212	PING.EXE
4704	PING.EXE
3520	PING.EXE
1376	PING.EXE
2268	PING.EXE
3736	PING.EXE
3024	PING.EXE
860	PING.EXE
744	PING.EXE
2480	PING.EXE
4212	PING.EXE
4188	PING.EXE
1292	PING.EXE
412	PING.EXE
2552	PING.EXE
2856	PING.EXE
2036	PING.EXE
2820	PING.EXE
3324	PING.EXE
1072	PING.EXE
4112	PING.EXE
4444	PING.EXE
4576	PING.EXE
3628	PING.EXE
3524	PING.EXE
4564	PING.EXE
3020	PING.EXE
1820	PING.EXE
1064	PING.EXE
3024	PING.EXE
3312	PING.EXE
1620	PING.EXE
2744	PING.EXE
4136	PING.EXE
2380	PING.EXE
2180	PING.EXE
3024	PING.EXE
4460	PING.EXE
3504	PING.EXE
1176	PING.EXE
2568	PING.EXE
1396	PING.EXE
652	PING.EXE
100	PING.EXE
636	PING.EXE
1388	PING.EXE
1292	PING.EXE
620	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1832	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
1832	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
4280	prunnet.exe
4280	prunnet.exe
1136	prunnet.exe
1136	prunnet.exe
4368	prunnet.exe
4368	prunnet.exe
4240	prunnet.exe
4240	prunnet.exe
4576	prunnet.exe
4576	prunnet.exe
4704	prunnet.exe
4704	prunnet.exe
2204	prunnet.exe
2204	prunnet.exe
2132	prunnet.exe
2132	prunnet.exe
3704	prunnet.exe
3704	prunnet.exe
1284	prunnet.exe
1284	prunnet.exe
1636	prunnet.exe
1636	prunnet.exe
1624	prunnet.exe
1624	prunnet.exe
396	prunnet.exe
396	prunnet.exe
4564	prunnet.exe
4564	prunnet.exe
1136	prunnet.exe
1136	prunnet.exe
2408	prunnet.exe
2408	prunnet.exe
2204	prunnet.exe
2204	prunnet.exe
3256	prunnet.exe
3256	prunnet.exe
3224	prunnet.exe
3224	prunnet.exe
4312	prunnet.exe
4312	prunnet.exe
336	prunnet.exe
336	prunnet.exe
3812	prunnet.exe
3812	prunnet.exe
2528	prunnet.exe
2528	prunnet.exe
3952	prunnet.exe
3952	prunnet.exe
60	prunnet.exe
60	prunnet.exe
2472	prunnet.exe
2472	prunnet.exe
3256	prunnet.exe
3256	prunnet.exe
3880	prunnet.exe
3880	prunnet.exe
1632	prunnet.exe
1632	prunnet.exe
4368	prunnet.exe
4368	prunnet.exe
4012	prunnet.exe
4012	prunnet.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1832	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
1832	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
1832	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
4280	prunnet.exe
4280	prunnet.exe
4280	prunnet.exe
1136	prunnet.exe
1136	prunnet.exe
1136	prunnet.exe
4368	prunnet.exe
4368	prunnet.exe
4368	prunnet.exe
4240	prunnet.exe
4240	prunnet.exe
4240	prunnet.exe
4576	prunnet.exe
4576	prunnet.exe
4576	prunnet.exe
4704	prunnet.exe
4704	prunnet.exe
4704	prunnet.exe
2204	prunnet.exe
2204	prunnet.exe
2204	prunnet.exe
2132	prunnet.exe
2132	prunnet.exe
2132	prunnet.exe
3704	prunnet.exe
3704	prunnet.exe
3704	prunnet.exe
1284	prunnet.exe
1284	prunnet.exe
1284	prunnet.exe
1636	prunnet.exe
1636	prunnet.exe
1636	prunnet.exe
1624	prunnet.exe
1624	prunnet.exe
1624	prunnet.exe
396	prunnet.exe
396	prunnet.exe
396	prunnet.exe
4564	prunnet.exe
4564	prunnet.exe
4564	prunnet.exe
1136	prunnet.exe
1136	prunnet.exe
1136	prunnet.exe
2408	prunnet.exe
2408	prunnet.exe
2408	prunnet.exe
2204	prunnet.exe
2204	prunnet.exe
2204	prunnet.exe
3256	prunnet.exe
3256	prunnet.exe
3256	prunnet.exe
3224	prunnet.exe
3224	prunnet.exe
3224	prunnet.exe
4312	prunnet.exe
4312	prunnet.exe
4312	prunnet.exe
336	prunnet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1068	1832	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe	92
PID 1832 wrote to memory of 1068	1832	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe	92
PID 1832 wrote to memory of 1068	1832	95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe	92
PID 1068 wrote to memory of 4136	1068	cmd.exe	94
PID 1068 wrote to memory of 4136	1068	cmd.exe	94
PID 1068 wrote to memory of 4136	1068	cmd.exe	94
PID 1068 wrote to memory of 1632	1068	cmd.exe	99
PID 1068 wrote to memory of 1632	1068	cmd.exe	99
PID 1068 wrote to memory of 1632	1068	cmd.exe	99
PID 1632 wrote to memory of 4280	1632	cmd.exe	100
PID 1632 wrote to memory of 4280	1632	cmd.exe	100
PID 1632 wrote to memory of 4280	1632	cmd.exe	100
PID 4280 wrote to memory of 2676	4280	prunnet.exe	101
PID 4280 wrote to memory of 2676	4280	prunnet.exe	101
PID 4280 wrote to memory of 2676	4280	prunnet.exe	101
PID 2676 wrote to memory of 1064	2676	cmd.exe	103
PID 2676 wrote to memory of 1064	2676	cmd.exe	103
PID 2676 wrote to memory of 1064	2676	cmd.exe	103
PID 2676 wrote to memory of 3896	2676	cmd.exe	106
PID 2676 wrote to memory of 3896	2676	cmd.exe	106
PID 2676 wrote to memory of 3896	2676	cmd.exe	106
PID 3896 wrote to memory of 1136	3896	cmd.exe	107
PID 3896 wrote to memory of 1136	3896	cmd.exe	107
PID 3896 wrote to memory of 1136	3896	cmd.exe	107
PID 1136 wrote to memory of 3528	1136	prunnet.exe	109
PID 1136 wrote to memory of 3528	1136	prunnet.exe	109
PID 1136 wrote to memory of 3528	1136	prunnet.exe	109
PID 3528 wrote to memory of 3024	3528	cmd.exe	111
PID 3528 wrote to memory of 3024	3528	cmd.exe	111
PID 3528 wrote to memory of 3024	3528	cmd.exe	111
PID 3528 wrote to memory of 2088	3528	cmd.exe	113
PID 3528 wrote to memory of 2088	3528	cmd.exe	113
PID 3528 wrote to memory of 2088	3528	cmd.exe	113
PID 2088 wrote to memory of 4368	2088	cmd.exe	114
PID 2088 wrote to memory of 4368	2088	cmd.exe	114
PID 2088 wrote to memory of 4368	2088	cmd.exe	114
PID 4368 wrote to memory of 3316	4368	prunnet.exe	115
PID 4368 wrote to memory of 3316	4368	prunnet.exe	115
PID 4368 wrote to memory of 3316	4368	prunnet.exe	115
PID 3316 wrote to memory of 3524	3316	cmd.exe	117
PID 3316 wrote to memory of 3524	3316	cmd.exe	117
PID 3316 wrote to memory of 3524	3316	cmd.exe	117
PID 3316 wrote to memory of 2076	3316	cmd.exe	119
PID 3316 wrote to memory of 2076	3316	cmd.exe	119
PID 3316 wrote to memory of 2076	3316	cmd.exe	119
PID 2076 wrote to memory of 4240	2076	cmd.exe	120
PID 2076 wrote to memory of 4240	2076	cmd.exe	120
PID 2076 wrote to memory of 4240	2076	cmd.exe	120
PID 4240 wrote to memory of 2804	4240	prunnet.exe	121
PID 4240 wrote to memory of 2804	4240	prunnet.exe	121
PID 4240 wrote to memory of 2804	4240	prunnet.exe	121
PID 2804 wrote to memory of 3324	2804	cmd.exe	123
PID 2804 wrote to memory of 3324	2804	cmd.exe	123
PID 2804 wrote to memory of 3324	2804	cmd.exe	123
PID 2804 wrote to memory of 3364	2804	cmd.exe	125
PID 2804 wrote to memory of 3364	2804	cmd.exe	125
PID 2804 wrote to memory of 3364	2804	cmd.exe	125
PID 3364 wrote to memory of 4576	3364	cmd.exe	126
PID 3364 wrote to memory of 4576	3364	cmd.exe	126
PID 3364 wrote to memory of 4576	3364	cmd.exe	126
PID 4576 wrote to memory of 4280	4576	prunnet.exe	127
PID 4576 wrote to memory of 4280	4576	prunnet.exe	127
PID 4576 wrote to memory of 4280	4576	prunnet.exe	127
PID 4280 wrote to memory of 1396	4280	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start "" "C:\Windows\system32\prunnet.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\prunnet.exe
      "C:\Windows\system32\prunnet.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1064
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        9⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        12⤵
        Runs ping.exe
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        13⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        16⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        18⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        19⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        21⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        22⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        23⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        24⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        24⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        25⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        27⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        28⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        29⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        30⤵
        Runs ping.exe
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        30⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        31⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        33⤵
        Runs ping.exe
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        33⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        34⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        36⤵
        Runs ping.exe
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        36⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        37⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        38⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        39⤵
        Runs ping.exe
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        39⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        40⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        41⤵
        
        PID:736
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        42⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        42⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        43⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        44⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        45⤵
        Runs ping.exe
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        46⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        47⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        49⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        50⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        52⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        54⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        54⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        55⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        56⤵
        
        PID:956
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        57⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        57⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        58⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        59⤵
        
        PID:888
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        61⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        62⤵
        
        PID:60
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        63⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        63⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        64⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        65⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        66⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        67⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        69⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        69⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        70⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        71⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        72⤵
        Runs ping.exe
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        72⤵
        
        PID:264
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        73⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        75⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        76⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        77⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        78⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        78⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        79⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        80⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        81⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        81⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        82⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        84⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        84⤵
        
        PID:116
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        85⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        86⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        87⤵
        Runs ping.exe
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        87⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        88⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        89⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        90⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        90⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        91⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        92⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        93⤵
        Runs ping.exe
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        93⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        94⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        95⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        96⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        96⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        97⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        98⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        99⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        99⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        100⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        101⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        102⤵
        Runs ping.exe
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        102⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        103⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        104⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        105⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        105⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        106⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        108⤵
        Runs ping.exe
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        108⤵
        
        PID:888
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        109⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        110⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        111⤵
        Runs ping.exe
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        111⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        112⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        113⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        114⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        114⤵
        
        PID:512
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        115⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        116⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        117⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        117⤵
        
        PID:548
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        118⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        119⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        120⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        120⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        121⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        122⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        123⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        124⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        126⤵
        Runs ping.exe
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        127⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        128⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        129⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        129⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        130⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        131⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        132⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        132⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        133⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        134⤵
        
        PID:432
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        135⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        135⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        136⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        137⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        138⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        138⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        139⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        140⤵
        
        PID:512
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        141⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        142⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        143⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        144⤵
        Runs ping.exe
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        145⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        146⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        147⤵
        Runs ping.exe
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        147⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        148⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        149⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        150⤵
        Runs ping.exe
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        151⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        153⤵
        Runs ping.exe
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        153⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        154⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        155⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        156⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        157⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        158⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        159⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        159⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        160⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        161⤵
        
        PID:856
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        162⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        162⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        163⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        164⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        165⤵
        Runs ping.exe
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        165⤵
        
        PID:428
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        166⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        167⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        168⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        169⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        170⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        171⤵
        Runs ping.exe
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        171⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        172⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        173⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        174⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        174⤵
        
        PID:400
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        175⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        176⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        177⤵
        Runs ping.exe
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        177⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        178⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        179⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        180⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        180⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        181⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        182⤵
        
        PID:428
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        183⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        184⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        185⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        186⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c start "" "C:\Windows\system32\prunnet.exe"
        186⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\prunnet.exe
        
        "C:\Windows\system32\prunnet.exe"
        187⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL
        188⤵
        
        PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\prunnet.exe

Filesize
96KB

MD5
95493103ed99da8300c9f13cbb519dc0

SHA1
42d007691613ba22b1a7351b01fd4c32f4160549

SHA256
0ec6e9301d962f0cd99773ce9b12ab20b217a9416b0e1f27927d6f3d367b37b4

SHA512
55215a6a01327728de5d805a3446a64e089573f9699a80f91a227867d624f67819257bdd453b69682ef587d4dc9ea1e3f4f9820eb0728a7a1dbb8ad1ccc758a5

Download Submit
memory/60-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1016-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1016-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-50-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-102-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3256-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3256-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3384-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3552-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3552-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3588-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3612-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3812-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4512-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4512-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-86-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4576-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4576-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4576-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-43-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download