Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 08:13
Static task
static1
Behavioral task
behavioral1
Sample
95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe
-
Size
96KB
-
MD5
95493103ed99da8300c9f13cbb519dc0
-
SHA1
42d007691613ba22b1a7351b01fd4c32f4160549
-
SHA256
0ec6e9301d962f0cd99773ce9b12ab20b217a9416b0e1f27927d6f3d367b37b4
-
SHA512
55215a6a01327728de5d805a3446a64e089573f9699a80f91a227867d624f67819257bdd453b69682ef587d4dc9ea1e3f4f9820eb0728a7a1dbb8ad1ccc758a5
-
SSDEEP
1536:R7rA6XHngkD7aqcXv8wXhuZgT8Qs33vLOzGngTE3YDQcTjN8jFTXoQuk:OQn5D7XcT+3Qsnqzg2EINTM7uk
Malware Config
Signatures
-
Executes dropped EXE 62 IoCs
pid Process 4280 prunnet.exe 1136 prunnet.exe 4368 prunnet.exe 4240 prunnet.exe 4576 prunnet.exe 4704 prunnet.exe 2204 prunnet.exe 2132 prunnet.exe 3704 prunnet.exe 1284 prunnet.exe 1636 prunnet.exe 1624 prunnet.exe 396 prunnet.exe 4564 prunnet.exe 1136 prunnet.exe 2408 prunnet.exe 2204 prunnet.exe 3256 prunnet.exe 4468 prunnet.exe 3224 prunnet.exe 4312 prunnet.exe 336 prunnet.exe 3812 prunnet.exe 2528 prunnet.exe 3952 prunnet.exe 60 prunnet.exe 2472 prunnet.exe 3256 prunnet.exe 3880 prunnet.exe 1632 prunnet.exe 4368 prunnet.exe 4012 prunnet.exe 336 prunnet.exe 3232 prunnet.exe 3704 prunnet.exe 1188 prunnet.exe 1888 prunnet.exe 1616 prunnet.exe 3384 prunnet.exe 1816 prunnet.exe 3552 prunnet.exe 4060 prunnet.exe 428 prunnet.exe 3680 prunnet.exe 2296 prunnet.exe 3212 prunnet.exe 3544 prunnet.exe 3588 prunnet.exe 3960 prunnet.exe 4664 prunnet.exe 2468 prunnet.exe 2788 prunnet.exe 3612 prunnet.exe 556 prunnet.exe 4512 prunnet.exe 1396 prunnet.exe 4400 prunnet.exe 3628 prunnet.exe 1016 prunnet.exe 4344 prunnet.exe 2676 prunnet.exe 4352 prunnet.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA prunnet.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\prunnet.exe 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\prunnet.exe 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prunnet.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3020 PING.EXE 4188 PING.EXE 2628 cmd.exe 5020 cmd.exe 1376 PING.EXE 3356 PING.EXE 1372 cmd.exe 2664 cmd.exe 3364 cmd.exe 4136 PING.EXE 2280 cmd.exe 4280 cmd.exe 2268 PING.EXE 2744 PING.EXE 1676 cmd.exe 2796 PING.EXE 4212 PING.EXE 652 PING.EXE 3108 cmd.exe 2204 cmd.exe 2588 cmd.exe 3304 cmd.exe 4332 cmd.exe 4704 PING.EXE 3520 PING.EXE 1396 PING.EXE 3356 cmd.exe 4444 PING.EXE 4188 cmd.exe 2180 PING.EXE 744 PING.EXE 1064 PING.EXE 1500 cmd.exe 3024 cmd.exe 4492 cmd.exe 1792 cmd.exe 3264 PING.EXE 3528 cmd.exe 4416 cmd.exe 4140 cmd.exe 4112 PING.EXE 732 PING.EXE 1072 PING.EXE 1820 PING.EXE 2536 PING.EXE 2108 cmd.exe 2856 PING.EXE 1176 PING.EXE 100 PING.EXE 4188 cmd.exe 2404 cmd.exe 620 PING.EXE 2568 PING.EXE 2380 PING.EXE 4528 cmd.exe 4576 cmd.exe 2472 cmd.exe 3020 cmd.exe 2368 cmd.exe 3324 PING.EXE 4172 cmd.exe 3024 PING.EXE 5008 cmd.exe 860 PING.EXE -
Runs ping.exe 1 TTPs 62 IoCs
pid Process 1648 PING.EXE 3028 PING.EXE 2540 PING.EXE 2536 PING.EXE 3264 PING.EXE 1680 PING.EXE 396 PING.EXE 3356 PING.EXE 732 PING.EXE 652 PING.EXE 4956 PING.EXE 116 PING.EXE 180 PING.EXE 2796 PING.EXE 1212 PING.EXE 4704 PING.EXE 3520 PING.EXE 1376 PING.EXE 2268 PING.EXE 3736 PING.EXE 3024 PING.EXE 860 PING.EXE 744 PING.EXE 2480 PING.EXE 4212 PING.EXE 4188 PING.EXE 1292 PING.EXE 412 PING.EXE 2552 PING.EXE 2856 PING.EXE 2036 PING.EXE 2820 PING.EXE 3324 PING.EXE 1072 PING.EXE 4112 PING.EXE 4444 PING.EXE 4576 PING.EXE 3628 PING.EXE 3524 PING.EXE 4564 PING.EXE 3020 PING.EXE 1820 PING.EXE 1064 PING.EXE 3024 PING.EXE 3312 PING.EXE 1620 PING.EXE 2744 PING.EXE 4136 PING.EXE 2380 PING.EXE 2180 PING.EXE 3024 PING.EXE 4460 PING.EXE 3504 PING.EXE 1176 PING.EXE 2568 PING.EXE 1396 PING.EXE 652 PING.EXE 100 PING.EXE 636 PING.EXE 1388 PING.EXE 1292 PING.EXE 620 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1832 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe 1832 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe 4280 prunnet.exe 4280 prunnet.exe 1136 prunnet.exe 1136 prunnet.exe 4368 prunnet.exe 4368 prunnet.exe 4240 prunnet.exe 4240 prunnet.exe 4576 prunnet.exe 4576 prunnet.exe 4704 prunnet.exe 4704 prunnet.exe 2204 prunnet.exe 2204 prunnet.exe 2132 prunnet.exe 2132 prunnet.exe 3704 prunnet.exe 3704 prunnet.exe 1284 prunnet.exe 1284 prunnet.exe 1636 prunnet.exe 1636 prunnet.exe 1624 prunnet.exe 1624 prunnet.exe 396 prunnet.exe 396 prunnet.exe 4564 prunnet.exe 4564 prunnet.exe 1136 prunnet.exe 1136 prunnet.exe 2408 prunnet.exe 2408 prunnet.exe 2204 prunnet.exe 2204 prunnet.exe 3256 prunnet.exe 3256 prunnet.exe 3224 prunnet.exe 3224 prunnet.exe 4312 prunnet.exe 4312 prunnet.exe 336 prunnet.exe 336 prunnet.exe 3812 prunnet.exe 3812 prunnet.exe 2528 prunnet.exe 2528 prunnet.exe 3952 prunnet.exe 3952 prunnet.exe 60 prunnet.exe 60 prunnet.exe 2472 prunnet.exe 2472 prunnet.exe 3256 prunnet.exe 3256 prunnet.exe 3880 prunnet.exe 3880 prunnet.exe 1632 prunnet.exe 1632 prunnet.exe 4368 prunnet.exe 4368 prunnet.exe 4012 prunnet.exe 4012 prunnet.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1832 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe 1832 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe 1832 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe 4280 prunnet.exe 4280 prunnet.exe 4280 prunnet.exe 1136 prunnet.exe 1136 prunnet.exe 1136 prunnet.exe 4368 prunnet.exe 4368 prunnet.exe 4368 prunnet.exe 4240 prunnet.exe 4240 prunnet.exe 4240 prunnet.exe 4576 prunnet.exe 4576 prunnet.exe 4576 prunnet.exe 4704 prunnet.exe 4704 prunnet.exe 4704 prunnet.exe 2204 prunnet.exe 2204 prunnet.exe 2204 prunnet.exe 2132 prunnet.exe 2132 prunnet.exe 2132 prunnet.exe 3704 prunnet.exe 3704 prunnet.exe 3704 prunnet.exe 1284 prunnet.exe 1284 prunnet.exe 1284 prunnet.exe 1636 prunnet.exe 1636 prunnet.exe 1636 prunnet.exe 1624 prunnet.exe 1624 prunnet.exe 1624 prunnet.exe 396 prunnet.exe 396 prunnet.exe 396 prunnet.exe 4564 prunnet.exe 4564 prunnet.exe 4564 prunnet.exe 1136 prunnet.exe 1136 prunnet.exe 1136 prunnet.exe 2408 prunnet.exe 2408 prunnet.exe 2408 prunnet.exe 2204 prunnet.exe 2204 prunnet.exe 2204 prunnet.exe 3256 prunnet.exe 3256 prunnet.exe 3256 prunnet.exe 3224 prunnet.exe 3224 prunnet.exe 3224 prunnet.exe 4312 prunnet.exe 4312 prunnet.exe 4312 prunnet.exe 336 prunnet.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1832 wrote to memory of 1068 1832 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe 92 PID 1832 wrote to memory of 1068 1832 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe 92 PID 1832 wrote to memory of 1068 1832 95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe 92 PID 1068 wrote to memory of 4136 1068 cmd.exe 94 PID 1068 wrote to memory of 4136 1068 cmd.exe 94 PID 1068 wrote to memory of 4136 1068 cmd.exe 94 PID 1068 wrote to memory of 1632 1068 cmd.exe 99 PID 1068 wrote to memory of 1632 1068 cmd.exe 99 PID 1068 wrote to memory of 1632 1068 cmd.exe 99 PID 1632 wrote to memory of 4280 1632 cmd.exe 100 PID 1632 wrote to memory of 4280 1632 cmd.exe 100 PID 1632 wrote to memory of 4280 1632 cmd.exe 100 PID 4280 wrote to memory of 2676 4280 prunnet.exe 101 PID 4280 wrote to memory of 2676 4280 prunnet.exe 101 PID 4280 wrote to memory of 2676 4280 prunnet.exe 101 PID 2676 wrote to memory of 1064 2676 cmd.exe 103 PID 2676 wrote to memory of 1064 2676 cmd.exe 103 PID 2676 wrote to memory of 1064 2676 cmd.exe 103 PID 2676 wrote to memory of 3896 2676 cmd.exe 106 PID 2676 wrote to memory of 3896 2676 cmd.exe 106 PID 2676 wrote to memory of 3896 2676 cmd.exe 106 PID 3896 wrote to memory of 1136 3896 cmd.exe 107 PID 3896 wrote to memory of 1136 3896 cmd.exe 107 PID 3896 wrote to memory of 1136 3896 cmd.exe 107 PID 1136 wrote to memory of 3528 1136 prunnet.exe 109 PID 1136 wrote to memory of 3528 1136 prunnet.exe 109 PID 1136 wrote to memory of 3528 1136 prunnet.exe 109 PID 3528 wrote to memory of 3024 3528 cmd.exe 111 PID 3528 wrote to memory of 3024 3528 cmd.exe 111 PID 3528 wrote to memory of 3024 3528 cmd.exe 111 PID 3528 wrote to memory of 2088 3528 cmd.exe 113 PID 3528 wrote to memory of 2088 3528 cmd.exe 113 PID 3528 wrote to memory of 2088 3528 cmd.exe 113 PID 2088 wrote to memory of 4368 2088 cmd.exe 114 PID 2088 wrote to memory of 4368 2088 cmd.exe 114 PID 2088 wrote to memory of 4368 2088 cmd.exe 114 PID 4368 wrote to memory of 3316 4368 prunnet.exe 115 PID 4368 wrote to memory of 3316 4368 prunnet.exe 115 PID 4368 wrote to memory of 3316 4368 prunnet.exe 115 PID 3316 wrote to memory of 3524 3316 cmd.exe 117 PID 3316 wrote to memory of 3524 3316 cmd.exe 117 PID 3316 wrote to memory of 3524 3316 cmd.exe 117 PID 3316 wrote to memory of 2076 3316 cmd.exe 119 PID 3316 wrote to memory of 2076 3316 cmd.exe 119 PID 3316 wrote to memory of 2076 3316 cmd.exe 119 PID 2076 wrote to memory of 4240 2076 cmd.exe 120 PID 2076 wrote to memory of 4240 2076 cmd.exe 120 PID 2076 wrote to memory of 4240 2076 cmd.exe 120 PID 4240 wrote to memory of 2804 4240 prunnet.exe 121 PID 4240 wrote to memory of 2804 4240 prunnet.exe 121 PID 4240 wrote to memory of 2804 4240 prunnet.exe 121 PID 2804 wrote to memory of 3324 2804 cmd.exe 123 PID 2804 wrote to memory of 3324 2804 cmd.exe 123 PID 2804 wrote to memory of 3324 2804 cmd.exe 123 PID 2804 wrote to memory of 3364 2804 cmd.exe 125 PID 2804 wrote to memory of 3364 2804 cmd.exe 125 PID 2804 wrote to memory of 3364 2804 cmd.exe 125 PID 3364 wrote to memory of 4576 3364 cmd.exe 126 PID 3364 wrote to memory of 4576 3364 cmd.exe 126 PID 3364 wrote to memory of 4576 3364 cmd.exe 126 PID 4576 wrote to memory of 4280 4576 prunnet.exe 127 PID 4576 wrote to memory of 4280 4576 prunnet.exe 127 PID 4576 wrote to memory of 4280 4576 prunnet.exe 127 PID 4280 wrote to memory of 1396 4280 cmd.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\95493103ed99da8300c9f13cbb519dc0_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 33⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4136
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL5⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 36⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1064
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 39⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:3024
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"9⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"10⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL11⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 312⤵
- Runs ping.exe
PID:3524
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"12⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"13⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL14⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 315⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3324
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"15⤵
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"16⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 318⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1396
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"18⤵PID:5040
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"19⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4704 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL20⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5020 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 321⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4112
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"21⤵PID:3236
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"22⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2204 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL23⤵PID:3040
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 324⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:4460
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"24⤵PID:1108
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"25⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2132 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL26⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2108 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 327⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2380
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"27⤵PID:4732
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"28⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3704 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL29⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3356 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 330⤵
- Runs ping.exe
PID:1680
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"30⤵PID:3952
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"31⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1284 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL32⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1500 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 333⤵
- Runs ping.exe
PID:652
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"33⤵PID:4664
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"34⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1636 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL35⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3024 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 336⤵
- Runs ping.exe
PID:1292
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"36⤵PID:4160
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"37⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1624 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL38⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2204 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 339⤵
- Runs ping.exe
PID:2552
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"39⤵PID:2416
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"40⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:396 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL41⤵PID:736
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 342⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2796
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"42⤵PID:3256
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"43⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4564 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL44⤵PID:1632
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 345⤵
- Runs ping.exe
PID:1212
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"45⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"46⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1136 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL47⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2588 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 348⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4212
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"48⤵
- System Location Discovery: System Language Discovery
PID:3520 -
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"49⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2408 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL50⤵PID:2576
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 351⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1376
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"51⤵
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"52⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2204 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL53⤵
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 354⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:396
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"54⤵PID:2796
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"55⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3256 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL56⤵PID:956
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 357⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:4564
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"57⤵PID:3384
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"58⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4468 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL59⤵PID:888
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 360⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3356
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"60⤵
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"61⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3224 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL62⤵PID:60
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 363⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2856
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"63⤵PID:4736
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"64⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4312 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL65⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2404 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 366⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:732
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"66⤵PID:4936
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"67⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:336 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL68⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4416 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 369⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1072
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"69⤵PID:2540
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"70⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3812 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL71⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2664 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 372⤵
- Runs ping.exe
PID:1648
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"72⤵PID:264
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"73⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2528 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL74⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3364 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 375⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4444
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"75⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"76⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3952 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL77⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4172 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 378⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3024
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"78⤵PID:1792
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"79⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:60 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL80⤵PID:2792
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 381⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:100
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"81⤵PID:4936
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"82⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2472 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL83⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 384⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3020
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"84⤵PID:116
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"85⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3256 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL86⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4188 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 387⤵
- Runs ping.exe
PID:2036
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"87⤵PID:4208
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"88⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3880 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL89⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5008 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 390⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2268
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"90⤵PID:1592
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"91⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1632 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL92⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1372 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 393⤵
- Runs ping.exe
PID:1292
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"93⤵PID:3276
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"94⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4368 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL95⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4492 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 396⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4704
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"96⤵PID:4484
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"97⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4012 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL98⤵PID:2700
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 399⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2180
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"99⤵PID:4732
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"100⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL101⤵PID:1620
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 3102⤵
- Runs ping.exe
PID:3504
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"102⤵PID:4288
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"103⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL104⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3304 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 3105⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4188
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"105⤵PID:4444
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"106⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3704 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL107⤵
- System Location Discovery: System Language Discovery
PID:3952 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 3108⤵
- Runs ping.exe
PID:3736
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"108⤵PID:888
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"109⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1188 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL110⤵PID:2436
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 3111⤵
- Runs ping.exe
PID:3024
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"111⤵PID:2820
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"112⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1888 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL113⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4528 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 3114⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:860
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"114⤵PID:512
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"115⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1616 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL116⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2280 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 3117⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1176
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"117⤵PID:548
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"118⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3384 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL119⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4332 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 3120⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:4576
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Windows\system32\prunnet.exe"120⤵PID:3544
-
C:\Windows\SysWOW64\prunnet.exe"C:\Windows\system32\prunnet.exe"121⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1816 -
C:\Windows\SysWOW64\cmd.execmd /c ping localhost -n 3 >> NUL && cmd /c start "" "C:\Windows\system32\prunnet.exe" >> NUL122⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-