Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 06:39
Static task
static1
Behavioral task
behavioral1
Sample
eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe
-
Size
99KB
-
MD5
eac6cb2a4a60d7db2618acb63ba47bfe
-
SHA1
226ed23500be40bf1e0f79757c15d8a0d731b725
-
SHA256
11e2647b14f26ffbb40a729eeb9e958d1e732bf682f6d209a22c75b84b275859
-
SHA512
e1599c1c39013b989a94e1cf9d7715fb65e08c366928f9548169c27a1cb1243d4c4f87bc4e830dc93c3922798f0f5f75f502017bb2181a510096f7c82432ac15
-
SSDEEP
768:WkpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn6jkvORFUWCn7wRu5mEf:vkQJcqwmIfj+ECJGCkvONymEn6zSDIw
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
pid Process 3028 wmimgmt.exe -
Loads dropped DLL 2 IoCs
pid Process 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts reg.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: wmimgmt.exe -
pid Process 284 ARP.EXE -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2844 tasklist.exe -
Permission Groups Discovery: Domain Groups 1 TTPs
Attempt to find domain-level groups and permission settings.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmimgmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2540 PING.EXE 2136 findstr.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 900 NETSTAT.EXE -
Discovers systems in the same network 1 TTPs 4 IoCs
pid Process 532 net.exe 2224 net.exe 2212 net.exe 1292 net.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 860 ipconfig.exe 900 NETSTAT.EXE 2316 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2780 systeminfo.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2540 PING.EXE -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeBackupPrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeRestorePrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeBackupPrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeBackupPrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeRestorePrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeBackupPrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeRestorePrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeBackupPrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeRestorePrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeBackupPrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeRestorePrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeBackupPrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeRestorePrivilege 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe Token: SeDebugPrivilege 2844 tasklist.exe Token: SeDebugPrivilege 900 NETSTAT.EXE Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeRestorePrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe Token: SeBackupPrivilege 3028 wmimgmt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 3028 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe 30 PID 2532 wrote to memory of 3028 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe 30 PID 2532 wrote to memory of 3028 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe 30 PID 2532 wrote to memory of 3028 2532 eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe 30 PID 3028 wrote to memory of 2524 3028 wmimgmt.exe 31 PID 3028 wrote to memory of 2524 3028 wmimgmt.exe 31 PID 3028 wrote to memory of 2524 3028 wmimgmt.exe 31 PID 3028 wrote to memory of 2524 3028 wmimgmt.exe 31 PID 2524 wrote to memory of 2112 2524 cmd.exe 33 PID 2524 wrote to memory of 2112 2524 cmd.exe 33 PID 2524 wrote to memory of 2112 2524 cmd.exe 33 PID 2524 wrote to memory of 2112 2524 cmd.exe 33 PID 2524 wrote to memory of 2300 2524 cmd.exe 34 PID 2524 wrote to memory of 2300 2524 cmd.exe 34 PID 2524 wrote to memory of 2300 2524 cmd.exe 34 PID 2524 wrote to memory of 2300 2524 cmd.exe 34 PID 2524 wrote to memory of 2296 2524 cmd.exe 35 PID 2524 wrote to memory of 2296 2524 cmd.exe 35 PID 2524 wrote to memory of 2296 2524 cmd.exe 35 PID 2524 wrote to memory of 2296 2524 cmd.exe 35 PID 2296 wrote to memory of 2268 2296 net.exe 36 PID 2296 wrote to memory of 2268 2296 net.exe 36 PID 2296 wrote to memory of 2268 2296 net.exe 36 PID 2296 wrote to memory of 2268 2296 net.exe 36 PID 2524 wrote to memory of 2748 2524 cmd.exe 37 PID 2524 wrote to memory of 2748 2524 cmd.exe 37 PID 2524 wrote to memory of 2748 2524 cmd.exe 37 PID 2524 wrote to memory of 2748 2524 cmd.exe 37 PID 2748 wrote to memory of 2768 2748 net.exe 38 PID 2748 wrote to memory of 2768 2748 net.exe 38 PID 2748 wrote to memory of 2768 2748 net.exe 38 PID 2748 wrote to memory of 2768 2748 net.exe 38 PID 2524 wrote to memory of 2844 2524 cmd.exe 39 PID 2524 wrote to memory of 2844 2524 cmd.exe 39 PID 2524 wrote to memory of 2844 2524 cmd.exe 39 PID 2524 wrote to memory of 2844 2524 cmd.exe 39 PID 2524 wrote to memory of 2780 2524 cmd.exe 41 PID 2524 wrote to memory of 2780 2524 cmd.exe 41 PID 2524 wrote to memory of 2780 2524 cmd.exe 41 PID 2524 wrote to memory of 2780 2524 cmd.exe 41 PID 2524 wrote to memory of 2196 2524 cmd.exe 44 PID 2524 wrote to memory of 2196 2524 cmd.exe 44 PID 2524 wrote to memory of 2196 2524 cmd.exe 44 PID 2524 wrote to memory of 2196 2524 cmd.exe 44 PID 2524 wrote to memory of 2000 2524 cmd.exe 45 PID 2524 wrote to memory of 2000 2524 cmd.exe 45 PID 2524 wrote to memory of 2000 2524 cmd.exe 45 PID 2524 wrote to memory of 2000 2524 cmd.exe 45 PID 2524 wrote to memory of 2248 2524 cmd.exe 46 PID 2524 wrote to memory of 2248 2524 cmd.exe 46 PID 2524 wrote to memory of 2248 2524 cmd.exe 46 PID 2524 wrote to memory of 2248 2524 cmd.exe 46 PID 2524 wrote to memory of 2428 2524 cmd.exe 47 PID 2524 wrote to memory of 2428 2524 cmd.exe 47 PID 2524 wrote to memory of 2428 2524 cmd.exe 47 PID 2524 wrote to memory of 2428 2524 cmd.exe 47 PID 2524 wrote to memory of 1376 2524 cmd.exe 48 PID 2524 wrote to memory of 1376 2524 cmd.exe 48 PID 2524 wrote to memory of 1376 2524 cmd.exe 48 PID 2524 wrote to memory of 1376 2524 cmd.exe 48 PID 2524 wrote to memory of 2580 2524 cmd.exe 49 PID 2524 wrote to memory of 2580 2524 cmd.exe 49 PID 2524 wrote to memory of 2580 2524 cmd.exe 49 PID 2524 wrote to memory of 2580 2524 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
- System Location Discovery: System Language Discovery
PID:2268
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
- System Location Discovery: System Language Discovery
PID:2768
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:2780
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
- System Location Discovery: System Language Discovery
PID:2000
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
- System Location Discovery: System Language Discovery
PID:2248
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:2428
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:1376
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:2580
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵PID:1632
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:1680
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s4⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1820
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s4⤵PID:1912
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s4⤵
- System Location Discovery: System Language Discovery
PID:1148
-
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
- System Location Discovery: System Language Discovery
PID:1880
-
-
-
C:\Windows\SysWOW64\net.exenet user Admin /domain4⤵
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /domain5⤵
- System Location Discovery: System Language Discovery
PID:1548
-
-
-
C:\Windows\SysWOW64\net.exenet group4⤵
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group5⤵
- System Location Discovery: System Language Discovery
PID:1952
-
-
-
C:\Windows\SysWOW64\net.exenet group /domain4⤵
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group /domain5⤵
- System Location Discovery: System Language Discovery
PID:744
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins"4⤵
- System Location Discovery: System Language Discovery
PID:296 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins"5⤵
- System Location Discovery: System Language Discovery
PID:288
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵PID:2948
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵PID:3068
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers"4⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers"5⤵PID:2092
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers" /domain4⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers" /domain5⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers"4⤵
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers"5⤵
- System Location Discovery: System Language Discovery
PID:2240
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers" /domain4⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers" /domain5⤵
- System Location Discovery: System Language Discovery
PID:2272
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:860
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:284
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
- System Location Discovery: System Language Discovery
PID:824
-
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
-
C:\Windows\SysWOW64\net.exenet use4⤵
- System Location Discovery: System Language Discovery
PID:1332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵
- System Location Discovery: System Language Discovery
PID:268
-
-
C:\Windows\SysWOW64\net.exenet share4⤵PID:1500
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵PID:540
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:584
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:740
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:1352
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:656
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵PID:1028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:2072
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵PID:2132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:808
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵PID:2464
-
-
C:\Windows\SysWOW64\net.exenet view /domain:"WORKGROUP"4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:2224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "4⤵PID:684
-
-
C:\Windows\SysWOW64\find.exefind "\\"4⤵
- System Location Discovery: System Language Discovery
PID:1660
-
-
C:\Windows\SysWOW64\net.exenet view \\CCJBVTGQ4⤵
- Discovers systems in the same network
PID:2212
-
-
C:\Windows\SysWOW64\net.exenet view \\CCJBVTGQ4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1292
-
-
C:\Windows\SysWOW64\find.exefind "Disk"4⤵
- System Location Discovery: System Language Discovery
PID:1232
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 CCJBVTGQ4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2540
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "Pinging Reply Request Unknown"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2136
-
-
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Domain Trust Discovery
1Network Service Discovery
1Network Share Discovery
1Password Policy Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
2Domain Groups
1Local Groups
1Process Discovery
1Query Registry
1Remote System Discovery
2System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5eac6cb2a4a60d7db2618acb63ba47bfe
SHA1226ed23500be40bf1e0f79757c15d8a0d731b725
SHA25611e2647b14f26ffbb40a729eeb9e958d1e732bf682f6d209a22c75b84b275859
SHA512e1599c1c39013b989a94e1cf9d7715fb65e08c366928f9548169c27a1cb1243d4c4f87bc4e830dc93c3922798f0f5f75f502017bb2181a510096f7c82432ac15
-
Filesize
49B
MD52aab214cfdd98a617d0ea9d44028d612
SHA18b9f2a39214582f3b15bb47bd7b726140c085114
SHA2566c7f2fa81a1e8dd1e3c55c7c92f60a66c6b049418d592b07b71586ad048bb979
SHA5121ce093858634932ee7687810731bcb0ec888d6e299d6ff6b93f7730a5a7552c82e512d63090dbfb884526491608493db01e7224aed61cc7638900f864bd74445
-
Filesize
7KB
MD5e0999245fe0d08c7454594dc695ee500
SHA1dc5449395e3b91b5d6d9ec30284e545a518ca822
SHA25646d21ac64ec059254b2a8ddd817c9149ac71099ce4dbf56a2cb27dfcee9f9062
SHA512f9e027b3996480625712d6b6acd01f71ea9a34a69625c5402103babe3be4503165f2445afe4ae5f71fda6bba623aece1b153341ad0aa39ff97ece31cb9514a33
-
Filesize
24.9MB
MD59527538092bb2f9073579e36acd6e733
SHA1694a7f1ca42bf4f8e1f5a965bb0ddf97ff65dc90
SHA2564676439ed050fe66c1e307bd20e2b0cac7ee6031e3966b0c9d8a0658ab81a648
SHA512bc815cad9892f884b11454ec73373256b2248deeea8151793db8f3d4650f4e64a0282ff6426340ad2fb4df2cf0d6c16f26ed0030f70e65b51f01e34f17ec41ae
-
Filesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
Filesize
4KB
MD5b91bc08162fbc3445c5424b77183b807
SHA152b2a60db40cdcc655648a65210ed26219c033e1
SHA2567cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a
SHA5122f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35
-
Filesize
153B
MD5b256c8a481b065860c2812e742f50250
SHA151ddf02764fb12d88822450e8a27f9deac85fe54
SHA256b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12
SHA512f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360
-
Filesize
72B
MD559f2768506355d8bc50979f6d64ded26
SHA1b2d315b3857bec8335c526a08d08d6a1b5f5c151
SHA2567f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569
SHA512e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028
-
Filesize
64B
MD5e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA2568bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e
-
Filesize
234B
MD556b14ddb1bd62d1b712e03f36a58a34a
SHA123bbe61061ea923ef9c1a461a839611b50984bba
SHA2565af7f06b5d6cd2db7306b606699551f43010131171543758fc49276bcc8cc519
SHA512adfc6a9070d77a15fe10566d0ff3146a2e12abcf987704ee05f28058451cb9f60df90aa8b5c52af98bd7ffbd25fb4d16e0f16d44b2541dd0bbcde03365afda0e