Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 00:44
Static task
static1
Behavioral task
behavioral1
Sample
fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe
-
Size
160KB
-
MD5
fb317b990f2f41f7de3a4be4d67db9b2
-
SHA1
3890c26a6052090c88c953b01a69b7e19439442b
-
SHA256
5d779261d7787da657d9e77b3dee4a4371f3f5432592ad8c60e8863209f2285c
-
SHA512
c9efcca432a770e06877d51f4fec58412a569c9ee5a335d2d5ff6b2f1c9185b8a6e5cfb7e1ee279401b8716f71be996633bc87b2f420c64c21441b7539094986
-
SSDEEP
3072:m6cpbetNSe92q0158JUMD3cvC5qrI/q07:m6cBetke92q458qYKCwrR07
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 4 IoCs
flow pid Process 5 2896 rundll32.exe 8 2896 rundll32.exe 10 2896 rundll32.exe 12 2896 rundll32.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\EventSystem\Parameters\ServiceDll = "C:\\Windows\\system32\\EventSystem.dll" avp.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Executes dropped EXE 2 IoCs
pid Process 2108 wmimgmt.exe 2240 avp.exe -
Loads dropped DLL 8 IoCs
pid Process 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe 2108 wmimgmt.exe 2108 wmimgmt.exe 2896 rundll32.exe 2896 rundll32.exe 2896 rundll32.exe 2896 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmi32 = "C:\\ProgramData\\Application Data\\wmimgmt.exe" wmimgmt.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: wmimgmt.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
pid Process 1776 ARP.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\EventSystem.dll avp.exe File created C:\Windows\SysWOW64\hongzquit.dat avp.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2916 tasklist.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 58 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NotePAD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmimgmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1576 PING.EXE 1604 findstr.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 2324 NETSTAT.EXE -
Discovers systems in the same network 1 TTPs 4 IoCs
pid Process 1740 net.exe 1216 net.exe 908 net.exe 1316 net.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 276 ipconfig.exe 2324 NETSTAT.EXE 2956 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2848 systeminfo.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1920 NotePAD.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1576 PING.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeBackupPrivilege 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Token: SeBackupPrivilege 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Token: SeRestorePrivilege 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Token: SeBackupPrivilege 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Token: SeRestorePrivilege 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Token: SeBackupPrivilege 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Token: SeRestorePrivilege 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Token: SeBackupPrivilege 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Token: SeRestorePrivilege 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Token: SeBackupPrivilege 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Token: SeRestorePrivilege 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2240 avp.exe Token: SeIncBasePriorityPrivilege 2240 avp.exe Token: SeDebugPrivilege 2916 tasklist.exe Token: SeDebugPrivilege 2324 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2108 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe 30 PID 2300 wrote to memory of 2108 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe 30 PID 2300 wrote to memory of 2108 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe 30 PID 2300 wrote to memory of 2108 2300 fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe 30 PID 2108 wrote to memory of 2240 2108 wmimgmt.exe 31 PID 2108 wrote to memory of 2240 2108 wmimgmt.exe 31 PID 2108 wrote to memory of 2240 2108 wmimgmt.exe 31 PID 2108 wrote to memory of 2240 2108 wmimgmt.exe 31 PID 2240 wrote to memory of 1092 2240 avp.exe 32 PID 2240 wrote to memory of 1092 2240 avp.exe 32 PID 2240 wrote to memory of 1092 2240 avp.exe 32 PID 2240 wrote to memory of 1092 2240 avp.exe 32 PID 2240 wrote to memory of 1920 2240 avp.exe 33 PID 2240 wrote to memory of 1920 2240 avp.exe 33 PID 2240 wrote to memory of 1920 2240 avp.exe 33 PID 2240 wrote to memory of 1920 2240 avp.exe 33 PID 2240 wrote to memory of 2896 2240 avp.exe 35 PID 2240 wrote to memory of 2896 2240 avp.exe 35 PID 2240 wrote to memory of 2896 2240 avp.exe 35 PID 2240 wrote to memory of 2896 2240 avp.exe 35 PID 2240 wrote to memory of 2896 2240 avp.exe 35 PID 2240 wrote to memory of 2896 2240 avp.exe 35 PID 2240 wrote to memory of 2896 2240 avp.exe 35 PID 2240 wrote to memory of 2888 2240 avp.exe 36 PID 2240 wrote to memory of 2888 2240 avp.exe 36 PID 2240 wrote to memory of 2888 2240 avp.exe 36 PID 2240 wrote to memory of 2888 2240 avp.exe 36 PID 2108 wrote to memory of 2736 2108 wmimgmt.exe 37 PID 2108 wrote to memory of 2736 2108 wmimgmt.exe 37 PID 2108 wrote to memory of 2736 2108 wmimgmt.exe 37 PID 2108 wrote to memory of 2736 2108 wmimgmt.exe 37 PID 2736 wrote to memory of 1908 2736 cmd.exe 39 PID 2736 wrote to memory of 1908 2736 cmd.exe 39 PID 2736 wrote to memory of 1908 2736 cmd.exe 39 PID 2736 wrote to memory of 1908 2736 cmd.exe 39 PID 2736 wrote to memory of 2624 2736 cmd.exe 40 PID 2736 wrote to memory of 2624 2736 cmd.exe 40 PID 2736 wrote to memory of 2624 2736 cmd.exe 40 PID 2736 wrote to memory of 2624 2736 cmd.exe 40 PID 2736 wrote to memory of 2632 2736 cmd.exe 41 PID 2736 wrote to memory of 2632 2736 cmd.exe 41 PID 2736 wrote to memory of 2632 2736 cmd.exe 41 PID 2736 wrote to memory of 2632 2736 cmd.exe 41 PID 2632 wrote to memory of 2644 2632 net.exe 42 PID 2632 wrote to memory of 2644 2632 net.exe 42 PID 2632 wrote to memory of 2644 2632 net.exe 42 PID 2632 wrote to memory of 2644 2632 net.exe 42 PID 2736 wrote to memory of 2732 2736 cmd.exe 43 PID 2736 wrote to memory of 2732 2736 cmd.exe 43 PID 2736 wrote to memory of 2732 2736 cmd.exe 43 PID 2736 wrote to memory of 2732 2736 cmd.exe 43 PID 2732 wrote to memory of 2008 2732 net.exe 44 PID 2732 wrote to memory of 2008 2732 net.exe 44 PID 2732 wrote to memory of 2008 2732 net.exe 44 PID 2732 wrote to memory of 2008 2732 net.exe 44 PID 2736 wrote to memory of 2916 2736 cmd.exe 45 PID 2736 wrote to memory of 2916 2736 cmd.exe 45 PID 2736 wrote to memory of 2916 2736 cmd.exe 45 PID 2736 wrote to memory of 2916 2736 cmd.exe 45 PID 2736 wrote to memory of 2848 2736 cmd.exe 47 PID 2736 wrote to memory of 2848 2736 cmd.exe 47 PID 2736 wrote to memory of 2848 2736 cmd.exe 47 PID 2736 wrote to memory of 2848 2736 cmd.exe 47 PID 2736 wrote to memory of 1472 2736 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb317b990f2f41f7de3a4be4d67db9b2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\avp.exeC:\Users\Admin\AppData\Local\Temp\avp.exe3⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\avp.exe" /A /F /Q> nul4⤵
- System Location Discovery: System Language Discovery
PID:1092
-
-
C:\Windows\SysWOW64\NotePAD.exeNotePAD.exe "C:\Users\Admin\AppData\Local\Temp\VMvareDnd.log"4⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1920
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\EventSystem.dll",TStartUp 0x114⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\avp.exe" /A /F /Q> nul4⤵
- System Location Discovery: System Language Discovery
PID:2888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
- System Location Discovery: System Language Discovery
PID:2644
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
- System Location Discovery: System Language Discovery
PID:2008
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:2848
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
- System Location Discovery: System Language Discovery
PID:1472
-
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
- System Location Discovery: System Language Discovery
PID:2520
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:1452
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:1864
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:1720
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:2996
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:500
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:276
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1776
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
- System Location Discovery: System Language Discovery
PID:2076
-
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
- System Location Discovery: System Language Discovery
PID:1376
-
-
-
C:\Windows\SysWOW64\net.exenet use4⤵
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵
- System Location Discovery: System Language Discovery
PID:308
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
- System Location Discovery: System Language Discovery
PID:1112
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:412
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
- System Location Discovery: System Language Discovery
PID:2512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:848
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
- System Location Discovery: System Language Discovery
PID:832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:948
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵
- System Location Discovery: System Language Discovery
PID:1304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:1212
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵
- System Location Discovery: System Language Discovery
PID:1788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:2100
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵
- System Location Discovery: System Language Discovery
PID:1020
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵
- System Location Discovery: System Language Discovery
PID:296
-
-
C:\Windows\SysWOW64\net.exenet view /domain:"WORKGROUP"4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "4⤵
- System Location Discovery: System Language Discovery
PID:1848
-
-
C:\Windows\SysWOW64\find.exefind "\\"4⤵
- System Location Discovery: System Language Discovery
PID:1480
-
-
C:\Windows\SysWOW64\net.exenet view \\ELZYPTFV4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:908
-
-
C:\Windows\SysWOW64\net.exenet view \\ELZYPTFV4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1316
-
-
C:\Windows\SysWOW64\find.exefind "Disk"4⤵
- System Location Discovery: System Language Discovery
PID:1104
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 ELZYPTFV4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1576
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "Pinging Reply Request Unknown"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1604
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
1Remote System Discovery
2System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43B
MD59f8713aff6dc4949d0dcf7869a488a12
SHA183529c6bf10be34c28615d988c4147493cc66607
SHA256f1a58d2b6c8377fcc07081342bfd0bf6c394abe39b1575d6983bd30f716e6fec
SHA51298005207c23cbb927eea0ee745b631413ca466dc89c8ea74af8ca228a209d835681c5c80a4c9e762b4decd3d53047d27e4063c6b42ac0da8d03628ebb80e923a
-
Filesize
7KB
MD5493f5925782f20b40ca456af792397e0
SHA15a77c37601772d45597ad74f99b224b2f92cdeb2
SHA256ef9404ef737e1c82f9393785a24f20c2e14f954e811c43984a75ff63f25d41d5
SHA5127c7ac1d649dcc222e16f7dd201588467695686270b2ce6d070a6f68ad8e5b850870795fdce28a934c43204f69b29b6aea5fc0d480a4cbe043314af1625345e28
-
Filesize
15KB
MD557da761cde32ee67376a6383f98d6694
SHA182698fa2b85dd83fc6476d51208b235d24b1ea0a
SHA256204397bbc459c9acaefdb2ca65156ff32c3483cdea0e65fdab8070195e1b1d5d
SHA512dc95d3ddbb5c7d4091f2d90bad94d4fda188268a1d4b883127ae79634a723a7f6a6eda3d33e6feaec32efddcc469369aa53aa165d12dfea0c9c9a7cb72f39108
-
Filesize
24.9MB
MD5fb61e168878387f85e17db9c7974d09e
SHA1a2608b1540647c34209fa723ea90dc06744982e1
SHA256144253778579396bc2d0074783233a95aa5092dc039a3e5304a7822def662dbb
SHA512dbde2d39f31b53b37531202d54d0ac1de7459916825da6c57689e75c766cf53e59a9fd2b9a069fa9b886e272fdf2644941e7a93e26bf4a532bd44049607e0773
-
Filesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
Filesize
3KB
MD5b98e8fcde49a1caee295a6bd3d264e56
SHA171c82391a8617212ad48c8d79755e71be2e20be9
SHA256e369c7e2e7ac0280882693038b213be0309c910df62f35a5159a125ecd18fb9a
SHA512fb5fa414449e7dd4ce1fedcb92487f59ed18d7fbd3146eb59ec8f7256d68551adebb7d35e859fe7b6bce5a0b042b0de1e9ee56369a8686976dd121b44ff46742
-
Filesize
153B
MD5b256c8a481b065860c2812e742f50250
SHA151ddf02764fb12d88822450e8a27f9deac85fe54
SHA256b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12
SHA512f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360
-
Filesize
64B
MD5e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA2568bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e
-
Filesize
72B
MD559f2768506355d8bc50979f6d64ded26
SHA1b2d315b3857bec8335c526a08d08d6a1b5f5c151
SHA2567f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569
SHA512e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028
-
Filesize
234B
MD5b230d00e3e2469fefe2d05175aa4392a
SHA15966759deb5146df415579df387d7add41b1d8dd
SHA256dc469f971f85ab492ebf0bb8a37271e32e6c0895c96c84015129a42caa6cbe19
SHA512b6b2ba3b36a8b47856562f2ba3e7164abb6c4dbb8c48b9e7aa8265d3548ffc50634a20ceee5ca1359aa1b3be4b245f716b5989e15b9eb3edfb3a273c75faa3c7
-
Filesize
160KB
MD5fb317b990f2f41f7de3a4be4d67db9b2
SHA13890c26a6052090c88c953b01a69b7e19439442b
SHA2565d779261d7787da657d9e77b3dee4a4371f3f5432592ad8c60e8863209f2285c
SHA512c9efcca432a770e06877d51f4fec58412a569c9ee5a335d2d5ff6b2f1c9185b8a6e5cfb7e1ee279401b8716f71be996633bc87b2f420c64c21441b7539094986
-
Filesize
73KB
MD5d0b2a18b2220a3248eec7874b75867fe
SHA147bfbb801c7643f3bc1f767cca4c496d4a620268
SHA256c0879137834b57ed4d7c59a1972737e74528032a39ff7ca8aa2560b9babb8d3b
SHA5123edf0025f8d5a36667b026b1102acca3ca03a2c0539f037fd3e7a28c61b1d10cdc81ee9553ad47eee7c907e02ef1ffa97e3b22d2666c60aa3fb2e7457141ac24
-
Filesize
61KB
MD5e752f85ed0c2d7a737c1b7cb69a7f8f1
SHA116a1d54c5255668a3076026efb4befb406ed03b7
SHA256a6925ccf46342ac629280fbc24cc5f5f87318bddb59a412528e1974fa80a2647
SHA512a18591db11dfd61ae3a90d53f9e2d222f8d6c1f389b07c51a9844c64b7767f1bf8313ef9459b497857e83e339328577c56f92d24705eea9799ded5b3d46f65c7