Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 03:49
Static task
static1
Behavioral task
behavioral1
Sample
a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe
-
Size
50KB
-
MD5
a1184e1690e4d0e3006f67ef21707693
-
SHA1
0865edbe60c018baa5a0014a63977a4da008f5ca
-
SHA256
33c396a39aae14f9ca745910a4b111bb812559a4bbe154cadca1381f2f5a9c1d
-
SHA512
7ac54be3a7489d8c3bcd4b277b9fe8e671c7485137810fca90b2b89aa0c5134db93dbfe319d42e647d34d1e1b6dcf353c8a0201580660bfaeeece0bede9595ac
-
SSDEEP
768:1kpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvOR:QkQJcqwmIfj+ECJG/kvO
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
pid Process 4660 wmimgmt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts reg.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: wmimgmt.exe -
pid Process 1328 ARP.EXE -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4904 tasklist.exe -
Permission Groups Discovery: Domain Groups 1 TTPs
Attempt to find domain-level groups and permission settings.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmimgmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 868 NETSTAT.EXE -
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 3080 net.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 1520 ipconfig.exe 868 NETSTAT.EXE 2288 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4468 systeminfo.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeBackupPrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeBackupPrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeBackupPrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeRestorePrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeBackupPrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeBackupPrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeBackupPrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeRestorePrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeBackupPrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeRestorePrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeBackupPrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeRestorePrivilege 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeRestorePrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeDebugPrivilege 4904 tasklist.exe Token: SeDebugPrivilege 868 NETSTAT.EXE Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeRestorePrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe Token: SeBackupPrivilege 4660 wmimgmt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 4660 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe 85 PID 2328 wrote to memory of 4660 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe 85 PID 2328 wrote to memory of 4660 2328 a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe 85 PID 4660 wrote to memory of 4284 4660 wmimgmt.exe 91 PID 4660 wrote to memory of 4284 4660 wmimgmt.exe 91 PID 4660 wrote to memory of 4284 4660 wmimgmt.exe 91 PID 4284 wrote to memory of 1484 4284 cmd.exe 93 PID 4284 wrote to memory of 1484 4284 cmd.exe 93 PID 4284 wrote to memory of 1484 4284 cmd.exe 93 PID 4284 wrote to memory of 1000 4284 cmd.exe 94 PID 4284 wrote to memory of 1000 4284 cmd.exe 94 PID 4284 wrote to memory of 1000 4284 cmd.exe 94 PID 4284 wrote to memory of 4880 4284 cmd.exe 95 PID 4284 wrote to memory of 4880 4284 cmd.exe 95 PID 4284 wrote to memory of 4880 4284 cmd.exe 95 PID 4880 wrote to memory of 224 4880 net.exe 96 PID 4880 wrote to memory of 224 4880 net.exe 96 PID 4880 wrote to memory of 224 4880 net.exe 96 PID 4284 wrote to memory of 2944 4284 cmd.exe 97 PID 4284 wrote to memory of 2944 4284 cmd.exe 97 PID 4284 wrote to memory of 2944 4284 cmd.exe 97 PID 2944 wrote to memory of 432 2944 net.exe 98 PID 2944 wrote to memory of 432 2944 net.exe 98 PID 2944 wrote to memory of 432 2944 net.exe 98 PID 4284 wrote to memory of 4904 4284 cmd.exe 99 PID 4284 wrote to memory of 4904 4284 cmd.exe 99 PID 4284 wrote to memory of 4904 4284 cmd.exe 99 PID 4284 wrote to memory of 4468 4284 cmd.exe 100 PID 4284 wrote to memory of 4468 4284 cmd.exe 100 PID 4284 wrote to memory of 4468 4284 cmd.exe 100 PID 4284 wrote to memory of 4020 4284 cmd.exe 104 PID 4284 wrote to memory of 4020 4284 cmd.exe 104 PID 4284 wrote to memory of 4020 4284 cmd.exe 104 PID 4284 wrote to memory of 1352 4284 cmd.exe 105 PID 4284 wrote to memory of 1352 4284 cmd.exe 105 PID 4284 wrote to memory of 1352 4284 cmd.exe 105 PID 4284 wrote to memory of 4104 4284 cmd.exe 106 PID 4284 wrote to memory of 4104 4284 cmd.exe 106 PID 4284 wrote to memory of 4104 4284 cmd.exe 106 PID 4284 wrote to memory of 3432 4284 cmd.exe 107 PID 4284 wrote to memory of 3432 4284 cmd.exe 107 PID 4284 wrote to memory of 3432 4284 cmd.exe 107 PID 4284 wrote to memory of 3604 4284 cmd.exe 108 PID 4284 wrote to memory of 3604 4284 cmd.exe 108 PID 4284 wrote to memory of 3604 4284 cmd.exe 108 PID 4284 wrote to memory of 4032 4284 cmd.exe 109 PID 4284 wrote to memory of 4032 4284 cmd.exe 109 PID 4284 wrote to memory of 4032 4284 cmd.exe 109 PID 4284 wrote to memory of 2744 4284 cmd.exe 110 PID 4284 wrote to memory of 2744 4284 cmd.exe 110 PID 4284 wrote to memory of 2744 4284 cmd.exe 110 PID 4284 wrote to memory of 1856 4284 cmd.exe 112 PID 4284 wrote to memory of 1856 4284 cmd.exe 112 PID 4284 wrote to memory of 1856 4284 cmd.exe 112 PID 4284 wrote to memory of 208 4284 cmd.exe 113 PID 4284 wrote to memory of 208 4284 cmd.exe 113 PID 4284 wrote to memory of 208 4284 cmd.exe 113 PID 4284 wrote to memory of 4420 4284 cmd.exe 115 PID 4284 wrote to memory of 4420 4284 cmd.exe 115 PID 4284 wrote to memory of 4420 4284 cmd.exe 115 PID 4284 wrote to memory of 536 4284 cmd.exe 116 PID 4284 wrote to memory of 536 4284 cmd.exe 116 PID 4284 wrote to memory of 536 4284 cmd.exe 116 PID 4284 wrote to memory of 316 4284 cmd.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
- System Location Discovery: System Language Discovery
PID:1484
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
- System Location Discovery: System Language Discovery
PID:224
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
- System Location Discovery: System Language Discovery
PID:432
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:4468
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
- System Location Discovery: System Language Discovery
PID:4020
-
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
- System Location Discovery: System Language Discovery
PID:1352
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
- System Location Discovery: System Language Discovery
PID:4104
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:3432
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:3604
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:4032
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵PID:2744
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:1856
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:208
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s4⤵
- System Location Discovery: System Language Discovery
PID:4420
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:536
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s4⤵
- System Location Discovery: System Language Discovery
PID:316
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s4⤵
- System Location Discovery: System Language Discovery
PID:4384
-
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵PID:2268
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
- System Location Discovery: System Language Discovery
PID:3652
-
-
-
C:\Windows\SysWOW64\net.exenet user Admin /domain4⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /domain5⤵
- System Location Discovery: System Language Discovery
PID:1344
-
-
-
C:\Windows\SysWOW64\net.exenet group4⤵
- System Location Discovery: System Language Discovery
PID:4180 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group5⤵PID:4816
-
-
-
C:\Windows\SysWOW64\net.exenet group /domain4⤵
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group /domain5⤵
- System Location Discovery: System Language Discovery
PID:2704
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins"4⤵
- System Location Discovery: System Language Discovery
PID:724 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins"5⤵
- System Location Discovery: System Language Discovery
PID:4444
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵
- System Location Discovery: System Language Discovery
PID:680
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers"4⤵
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers"5⤵
- System Location Discovery: System Language Discovery
PID:2984
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers" /domain4⤵
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers" /domain5⤵
- System Location Discovery: System Language Discovery
PID:3908
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers"4⤵
- System Location Discovery: System Language Discovery
PID:3812 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers"5⤵
- System Location Discovery: System Language Discovery
PID:636
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers" /domain4⤵
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers" /domain5⤵
- System Location Discovery: System Language Discovery
PID:664
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1520
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1328
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
- System Location Discovery: System Language Discovery
PID:228 -
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
- System Location Discovery: System Language Discovery
PID:3496
-
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
- System Location Discovery: System Language Discovery
PID:4584
-
-
-
C:\Windows\SysWOW64\net.exenet use4⤵
- System Location Discovery: System Language Discovery
PID:4832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵PID:2944
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
- System Location Discovery: System Language Discovery
PID:4636
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:3080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵PID:4948
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
- System Location Discovery: System Language Discovery
PID:4560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
- System Location Discovery: System Language Discovery
PID:3232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:3432
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:4000
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵
- System Location Discovery: System Language Discovery
PID:4008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:3948
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵
- System Location Discovery: System Language Discovery
PID:4364
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:220
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Domain Trust Discovery
1Network Service Discovery
1Network Share Discovery
1Password Policy Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
2Domain Groups
1Local Groups
1Process Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5a1184e1690e4d0e3006f67ef21707693
SHA10865edbe60c018baa5a0014a63977a4da008f5ca
SHA25633c396a39aae14f9ca745910a4b111bb812559a4bbe154cadca1381f2f5a9c1d
SHA5127ac54be3a7489d8c3bcd4b277b9fe8e671c7485137810fca90b2b89aa0c5134db93dbfe319d42e647d34d1e1b6dcf353c8a0201580660bfaeeece0bede9595ac
-
Filesize
49B
MD59a8c2d0c510fd316456d479cd25a9d6c
SHA1ea9fc69f9a8c7a2ed97a3f6ce6a9460f46b8e0d1
SHA25675895b0b466a254f21114d9cf71d18ef2413a40aed6c3c989b6496dbb345068e
SHA512617aecd798d2bc8d08cf9d771b3138068fda70091c9dac7d6a031a322829d55960b601baa3085301f34961c0eccaa18e20aa3823469d3d0eb21a639fcf61a0b8
-
Filesize
12KB
MD5ea0bc526818c5ff56b9837548daa6edb
SHA14d08721359324ea2738eba56dad5c560adf34d6e
SHA2569580d60a63da98dd72d7784ef006b22326bd2df968ab2d5adb79ce19d676abdf
SHA512f21b127dbbdd7881ef37eb3f49ca934727b9be7181a6826c3453a862a92e88672c1ffc1dbef4c6dce197c24165b145986a6d938146fb52e0bb870af3f7154372
-
Filesize
37.5MB
MD5098de1ee4d2957ae71d0529da3db74fc
SHA1ff82f2cfb38c16a499e4886e56f35d03941188ad
SHA256009f4757be1dc2f3fb8ca37ba090f5c5fd61d2fd63adeae99cb38111f412989a
SHA512649057e16d2b7cfb474390fc038d16fb7835128eb19becc118da0aafdedf09766530bac1971d61f28543fff4674c335c49866feba99bbbec9ad2fd2d56142ffc
-
Filesize
254B
MD569d9638d6b35eb1c500d9e7fce372f7e
SHA14e35e916ad3856e32e31cf220d2806fa6dbc9d26
SHA25675afed2f53a2d7e83c7dd591b03846918ad120c854000e35d5b229d35da63e4f
SHA51217cf8a32e85ee07dab30d7a9925bd9698a5fadfd75fe75613461a7862a96a4284381e97306d89c89e760a9dd0c84e315b474c7a5768b37c15a6a3bdb9bbe3cda
-
Filesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
Filesize
4KB
MD5b91bc08162fbc3445c5424b77183b807
SHA152b2a60db40cdcc655648a65210ed26219c033e1
SHA2567cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a
SHA5122f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35
-
Filesize
64B
MD543859f5e2fda2f87351ac51dc95769ca
SHA1ac49ccb11214b79a94a745be88a8759327f160e9
SHA2564faa5f6eec70f3a94364c77e74e89c8722ee1157d7bfb1172a2c7a2d01721b83
SHA51296abbff7014a6364bd8617b490d79ca2f4d5e4d4cc56efffeb23ab212d15f1b989a6a1814a06c6b6279ab04da3018b420ee5e2469df725f9aa9b26ffe50b0688