Analysis
-
max time kernel
124s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 21:26
Static task
static1
Behavioral task
behavioral1
Sample
81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
Resource
win10v2004-20240730-en
General
-
Target
81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe
-
Size
214KB
-
MD5
81c7a4d1078b344f7b9e99cd3f88c984
-
SHA1
3355c6d6bd4fd34fb23c5ed998daaa54ba55a651
-
SHA256
93739acd40217d985062c5ac8a028e2bf20a806be0bb4298a1dd29ad99d38052
-
SHA512
b1daceccc11da91a3f47135fcdaddd06f1c25a1f571bd913ef3462a758808bd993e8a2ecf506bb5ef3a7371b3933cf765ee44a18c06c9746be5905f921d74502
-
SSDEEP
3072:uahAcUn4vObQA/SukvOtL7QJlsmo990S+P5tPR3Trw7R7MR1Cd/Tu:uaacVGbQMSukvOyJlsaS+xRR3/w9AyS
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
pid Process 2636 wmimgmt.exe -
Loads dropped DLL 2 IoCs
pid Process 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts reg.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: wmimgmt.exe -
pid Process 2016 ARP.EXE -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2072 tasklist.exe -
Permission Groups Discovery: Domain Groups 1 TTPs
Attempt to find domain-level groups and permission settings.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmimgmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2472 PING.EXE 2244 findstr.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 940 NETSTAT.EXE -
Discovers systems in the same network 1 TTPs 4 IoCs
pid Process 2840 net.exe 2628 net.exe 2052 net.exe 1828 net.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 668 ipconfig.exe 940 NETSTAT.EXE 2896 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1536 systeminfo.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2472 PING.EXE -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeBackupPrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeRestorePrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeBackupPrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeBackupPrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeRestorePrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeBackupPrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeRestorePrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeBackupPrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeRestorePrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeBackupPrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeRestorePrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeBackupPrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeRestorePrivilege 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe Token: SeDebugPrivilege 2072 tasklist.exe Token: SeDebugPrivilege 940 NETSTAT.EXE Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeRestorePrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe Token: SeBackupPrivilege 2636 wmimgmt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1144 wrote to memory of 2636 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe 30 PID 1144 wrote to memory of 2636 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe 30 PID 1144 wrote to memory of 2636 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe 30 PID 1144 wrote to memory of 2636 1144 81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe 30 PID 2636 wrote to memory of 2564 2636 wmimgmt.exe 31 PID 2636 wrote to memory of 2564 2636 wmimgmt.exe 31 PID 2636 wrote to memory of 2564 2636 wmimgmt.exe 31 PID 2636 wrote to memory of 2564 2636 wmimgmt.exe 31 PID 2564 wrote to memory of 1328 2564 cmd.exe 33 PID 2564 wrote to memory of 1328 2564 cmd.exe 33 PID 2564 wrote to memory of 1328 2564 cmd.exe 33 PID 2564 wrote to memory of 1328 2564 cmd.exe 33 PID 2564 wrote to memory of 1728 2564 cmd.exe 34 PID 2564 wrote to memory of 1728 2564 cmd.exe 34 PID 2564 wrote to memory of 1728 2564 cmd.exe 34 PID 2564 wrote to memory of 1728 2564 cmd.exe 34 PID 2564 wrote to memory of 280 2564 cmd.exe 35 PID 2564 wrote to memory of 280 2564 cmd.exe 35 PID 2564 wrote to memory of 280 2564 cmd.exe 35 PID 2564 wrote to memory of 280 2564 cmd.exe 35 PID 280 wrote to memory of 2144 280 net.exe 36 PID 280 wrote to memory of 2144 280 net.exe 36 PID 280 wrote to memory of 2144 280 net.exe 36 PID 280 wrote to memory of 2144 280 net.exe 36 PID 2564 wrote to memory of 2304 2564 cmd.exe 37 PID 2564 wrote to memory of 2304 2564 cmd.exe 37 PID 2564 wrote to memory of 2304 2564 cmd.exe 37 PID 2564 wrote to memory of 2304 2564 cmd.exe 37 PID 2304 wrote to memory of 1816 2304 net.exe 38 PID 2304 wrote to memory of 1816 2304 net.exe 38 PID 2304 wrote to memory of 1816 2304 net.exe 38 PID 2304 wrote to memory of 1816 2304 net.exe 38 PID 2564 wrote to memory of 2072 2564 cmd.exe 39 PID 2564 wrote to memory of 2072 2564 cmd.exe 39 PID 2564 wrote to memory of 2072 2564 cmd.exe 39 PID 2564 wrote to memory of 2072 2564 cmd.exe 39 PID 2564 wrote to memory of 1536 2564 cmd.exe 41 PID 2564 wrote to memory of 1536 2564 cmd.exe 41 PID 2564 wrote to memory of 1536 2564 cmd.exe 41 PID 2564 wrote to memory of 1536 2564 cmd.exe 41 PID 2564 wrote to memory of 1808 2564 cmd.exe 43 PID 2564 wrote to memory of 1808 2564 cmd.exe 43 PID 2564 wrote to memory of 1808 2564 cmd.exe 43 PID 2564 wrote to memory of 1808 2564 cmd.exe 43 PID 2564 wrote to memory of 1036 2564 cmd.exe 44 PID 2564 wrote to memory of 1036 2564 cmd.exe 44 PID 2564 wrote to memory of 1036 2564 cmd.exe 44 PID 2564 wrote to memory of 1036 2564 cmd.exe 44 PID 2564 wrote to memory of 1724 2564 cmd.exe 45 PID 2564 wrote to memory of 1724 2564 cmd.exe 45 PID 2564 wrote to memory of 1724 2564 cmd.exe 45 PID 2564 wrote to memory of 1724 2564 cmd.exe 45 PID 2564 wrote to memory of 520 2564 cmd.exe 46 PID 2564 wrote to memory of 520 2564 cmd.exe 46 PID 2564 wrote to memory of 520 2564 cmd.exe 46 PID 2564 wrote to memory of 520 2564 cmd.exe 46 PID 2564 wrote to memory of 972 2564 cmd.exe 47 PID 2564 wrote to memory of 972 2564 cmd.exe 47 PID 2564 wrote to memory of 972 2564 cmd.exe 47 PID 2564 wrote to memory of 972 2564 cmd.exe 47 PID 2564 wrote to memory of 2292 2564 cmd.exe 48 PID 2564 wrote to memory of 2292 2564 cmd.exe 48 PID 2564 wrote to memory of 2292 2564 cmd.exe 48 PID 2564 wrote to memory of 2292 2564 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\81c7a4d1078b344f7b9e99cd3f88c984_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
- System Location Discovery: System Language Discovery
PID:1328
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
- System Location Discovery: System Language Discovery
PID:1728
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
- System Location Discovery: System Language Discovery
PID:2144
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
- System Location Discovery: System Language Discovery
PID:1816
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:1536
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
- System Location Discovery: System Language Discovery
PID:1808
-
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
- System Location Discovery: System Language Discovery
PID:1036
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
- System Location Discovery: System Language Discovery
PID:1724
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:520
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵PID:972
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵PID:2292
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:1396
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:1756
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s4⤵PID:2908
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s4⤵
- System Location Discovery: System Language Discovery
PID:2352
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s4⤵
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
-
C:\Windows\SysWOW64\net.exenet user Admin /domain4⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /domain5⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
-
C:\Windows\SysWOW64\net.exenet group4⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group5⤵
- System Location Discovery: System Language Discovery
PID:2600
-
-
-
C:\Windows\SysWOW64\net.exenet group /domain4⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group /domain5⤵
- System Location Discovery: System Language Discovery
PID:2140
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins"4⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins"5⤵
- System Location Discovery: System Language Discovery
PID:1284
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵
- System Location Discovery: System Language Discovery
PID:1744
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers"4⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers"5⤵
- System Location Discovery: System Language Discovery
PID:920
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers" /domain4⤵
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers" /domain5⤵PID:3068
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers"4⤵PID:2032
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers"5⤵
- System Location Discovery: System Language Discovery
PID:2320
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers" /domain4⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers" /domain5⤵PID:1376
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:668
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2016
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵PID:2612
-
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
- System Location Discovery: System Language Discovery
PID:1776
-
-
-
C:\Windows\SysWOW64\net.exenet use4⤵
- System Location Discovery: System Language Discovery
PID:1940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵
- System Location Discovery: System Language Discovery
PID:992
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
- System Location Discovery: System Language Discovery
PID:1672
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:2840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵PID:2548
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
- System Location Discovery: System Language Discovery
PID:2596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵PID:3060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵
- System Location Discovery: System Language Discovery
PID:2212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:1496
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵
- System Location Discovery: System Language Discovery
PID:1184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵
- System Location Discovery: System Language Discovery
PID:2512
-
-
C:\Windows\SysWOW64\net.exenet view /domain:"WORKGROUP"4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:2628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "4⤵
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\SysWOW64\find.exefind "\\"4⤵PID:2064
-
-
C:\Windows\SysWOW64\net.exenet view \\MVFYZPLM4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:2052
-
-
C:\Windows\SysWOW64\net.exenet view \\MVFYZPLM4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1828
-
-
C:\Windows\SysWOW64\find.exefind "Disk"4⤵PID:852
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 MVFYZPLM4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2472
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "Pinging Reply Request Unknown"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2244
-
-
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Domain Trust Discovery
1Network Service Discovery
1Network Share Discovery
1Password Policy Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
2Domain Groups
1Local Groups
1Process Discovery
1Query Registry
1Remote System Discovery
2System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25.4MB
MD5cb2c441c6b7d9779f017fc535fd7ceba
SHA116324768e8b4a9d7785b4bbe2695936160802c7c
SHA2561b7ee3e0a304f68f70a7a415874e2964099d3d01dca4fc3ae2fcdac87ffc4b53
SHA5121df7d1483e2af4eb3dbaaa84a45fad524a52e06568b838a85d19e0236a4b23ac8c3042a3b209512b69f29b5f288cee6e8aa7266437a72c45e2fa46350c0ab63c
-
Filesize
50B
MD56e1ee901af8211bf02f2b57d4c7dead5
SHA1240c021664ee742874f247832d608c68a7b58b5a
SHA256ffdca4b0d7e20696fe65f395d0fa65de37f460a799deb48ccc42d5ebd2b0c2e2
SHA512b679fecadc09fc9e13c306521c1538dad4b40569fbe83d122d7e111d808c9f217813a0fe98c405347c2a62946f25596fab2578ec4a30f86539bb8d23493a5404
-
Filesize
7KB
MD549133cc06ac073c46acdc1b99edb9db6
SHA13b3bef7295c946c8afa80561ac22110ab6a610f0
SHA2565df7cf87903071ff39f59eb5e6cd37f244bb4d4cbe748370f237cd08ac0ce173
SHA5128b1b58ee1fc82c7b080caee28bdc341741749d636f7e98549f98af396449c36d39aac455257585dd3b8b9d80ae7a7a8da8f2f296891190f2008b55b73a5606b0
-
Filesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
Filesize
4KB
MD52e55bd8d0078e8fd40c1393e37d23192
SHA1c54b3dbf5a29fe4cda82f340aae9a91175f049ff
SHA2569859d9201e0fa3717bff47b0d3740630b92db01fcd753931470bba7247d5047d
SHA51267e4a1c6ddfe74f55129348c2a1e72889b32ee236704b12955b6448074083b7c388c3c2eeb6f6dcce8cb8f4d3451b8989601312c664a9bc95c06105a7298709c
-
Filesize
427B
MD5adcd7eca1c0a9cb88bb378ecfff7dc96
SHA174072ce3797e59d7b4726f22572d4cd7cb7a05e9
SHA256f59d2d3053eaecffa1a2db314d3f49b55cf198f8e8d547858abeab011cae311a
SHA51220875354bbb4aa31c62a62a05bd371151475d6a76c9008fb04c3c582b7fab6ed43e98f69bbcd21520dc94c2290a74ca09e836eb26a41bc8075f8633889ab5426
-
Filesize
153B
MD5b256c8a481b065860c2812e742f50250
SHA151ddf02764fb12d88822450e8a27f9deac85fe54
SHA256b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12
SHA512f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360
-
Filesize
64B
MD5e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA2568bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e
-
Filesize
72B
MD559f2768506355d8bc50979f6d64ded26
SHA1b2d315b3857bec8335c526a08d08d6a1b5f5c151
SHA2567f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569
SHA512e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028
-
Filesize
234B
MD52641a1c7caf4bb5bc80dac2f0c7983f2
SHA1b49520d96d263dfd5dd13eade4e474a654ce080f
SHA2565060d5f27c43713bdb92e997dadb28933eeb0a1f2b27264b623a04c49333e32e
SHA5122bbe0732697d584b04d4323b9fc64adbb922d347d6b6998b8268ef7eae3393dc1c4ae4e3fae444ae837cde8cdb5d6344b60d326376cf76b34920936a812d4fa7
-
Filesize
3.7MB
MD5c02f9fbe551ddc981c3f93c0892f7693
SHA1364d28e9c0e1d0c3708155b54c179c355ccec1f0
SHA256ef556422c91facf0e41b6b79cbd824201f22f2b852eb263269445646bcd7b10e
SHA512c754cd0cabd89cca04d3b8ffd49eafcc2485ca6ad444489640b9d958a2ca209e8014a74c65adc51dfdba549398c2a7bc3dac0a63f473afee1e3fdc4c6610790f
-
Filesize
64B
MD517d38977ba30826b0725e6fbf7b84bb2
SHA15f575b2bace8a0ac060d8e2e0a8bb77587d5e7f6
SHA25645dc29f5de44c67224eaf335a61d6b0cf901c6148c94a31bcac8c9fe4e547159
SHA51267be861cdd19217d6d87e725009e9ea7f85068d8c1ddb951f8b74c1861291e6206ebd58e2b42b40a6af92ce854a8ffdb786d98923ac3e4d4547e99bd187c9d5f
-
Filesize
214KB
MD581c7a4d1078b344f7b9e99cd3f88c984
SHA13355c6d6bd4fd34fb23c5ed998daaa54ba55a651
SHA25693739acd40217d985062c5ac8a028e2bf20a806be0bb4298a1dd29ad99d38052
SHA512b1daceccc11da91a3f47135fcdaddd06f1c25a1f571bd913ef3462a758808bd993e8a2ecf506bb5ef3a7371b3933cf765ee44a18c06c9746be5905f921d74502