Analysis
-
max time kernel
140s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 22:08
Static task
static1
Behavioral task
behavioral1
Sample
5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
Resource
win10v2004-20241007-en
General
-
Target
5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
-
Size
252KB
-
MD5
98b94959187e33ef4fdb4116cc2aa1e2
-
SHA1
4df59ac87cfe2d6b88490452e5eb8abfc16ee167
-
SHA256
5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35
-
SHA512
32bfa406fba20266d90021be706d4691d9f9725a761c4ff57fd0f490bfd3e9cb3a6f929f1a143e0ca83931f3335960d18c4b7ca98a4a1a538e4ab5145c244ab8
-
SSDEEP
3072:cOXQ2G+IpQZQne73qe8UzT+nWwXjDRJWwXjDRgjDRbL7oZC3:jvGlpQE4qNUzCrw
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Executes dropped EXE 2 IoCs
pid Process 2556 wmimgmt.exe 496 wmimgmt.exe -
Loads dropped DLL 3 IoCs
pid Process 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 2556 wmimgmt.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmi32 = "\"C:\\ProgramData\\Application Data\\wmimgmt.exe\"" wmimgmt.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: wmimgmt.exe -
pid Process 2788 ARP.EXE -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2532 tasklist.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3052 set thread context of 2656 3052 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 31 PID 2556 set thread context of 496 2556 wmimgmt.exe 34 -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 55 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmimgmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmimgmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1056 PING.EXE 1984 findstr.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 2036 NETSTAT.EXE -
Discovers systems in the same network 1 TTPs 4 IoCs
pid Process 1992 net.exe 1784 net.exe 2932 net.exe 2344 net.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 2376 NETSTAT.EXE 296 ipconfig.exe 2036 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2632 systeminfo.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1056 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3052 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 2556 wmimgmt.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeBackupPrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeRestorePrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeBackupPrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeBackupPrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeRestorePrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeBackupPrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeRestorePrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeBackupPrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeRestorePrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeBackupPrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeRestorePrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeBackupPrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeRestorePrivilege 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe Token: SeDebugPrivilege 2532 tasklist.exe Token: SeDebugPrivilege 2036 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3052 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 3052 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 2556 wmimgmt.exe 2556 wmimgmt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2656 3052 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 31 PID 3052 wrote to memory of 2656 3052 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 31 PID 3052 wrote to memory of 2656 3052 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 31 PID 3052 wrote to memory of 2656 3052 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 31 PID 3052 wrote to memory of 2656 3052 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 31 PID 3052 wrote to memory of 2656 3052 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 31 PID 2656 wrote to memory of 2556 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 33 PID 2656 wrote to memory of 2556 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 33 PID 2656 wrote to memory of 2556 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 33 PID 2656 wrote to memory of 2556 2656 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe 33 PID 2556 wrote to memory of 496 2556 wmimgmt.exe 34 PID 2556 wrote to memory of 496 2556 wmimgmt.exe 34 PID 2556 wrote to memory of 496 2556 wmimgmt.exe 34 PID 2556 wrote to memory of 496 2556 wmimgmt.exe 34 PID 2556 wrote to memory of 496 2556 wmimgmt.exe 34 PID 2556 wrote to memory of 496 2556 wmimgmt.exe 34 PID 496 wrote to memory of 2152 496 wmimgmt.exe 35 PID 496 wrote to memory of 2152 496 wmimgmt.exe 35 PID 496 wrote to memory of 2152 496 wmimgmt.exe 35 PID 496 wrote to memory of 2152 496 wmimgmt.exe 35 PID 2152 wrote to memory of 2164 2152 cmd.exe 37 PID 2152 wrote to memory of 2164 2152 cmd.exe 37 PID 2152 wrote to memory of 2164 2152 cmd.exe 37 PID 2152 wrote to memory of 2164 2152 cmd.exe 37 PID 2152 wrote to memory of 1404 2152 cmd.exe 38 PID 2152 wrote to memory of 1404 2152 cmd.exe 38 PID 2152 wrote to memory of 1404 2152 cmd.exe 38 PID 2152 wrote to memory of 1404 2152 cmd.exe 38 PID 2152 wrote to memory of 2056 2152 cmd.exe 39 PID 2152 wrote to memory of 2056 2152 cmd.exe 39 PID 2152 wrote to memory of 2056 2152 cmd.exe 39 PID 2152 wrote to memory of 2056 2152 cmd.exe 39 PID 2056 wrote to memory of 2316 2056 net.exe 40 PID 2056 wrote to memory of 2316 2056 net.exe 40 PID 2056 wrote to memory of 2316 2056 net.exe 40 PID 2056 wrote to memory of 2316 2056 net.exe 40 PID 2152 wrote to memory of 1168 2152 cmd.exe 41 PID 2152 wrote to memory of 1168 2152 cmd.exe 41 PID 2152 wrote to memory of 1168 2152 cmd.exe 41 PID 2152 wrote to memory of 1168 2152 cmd.exe 41 PID 1168 wrote to memory of 2276 1168 net.exe 42 PID 1168 wrote to memory of 2276 1168 net.exe 42 PID 1168 wrote to memory of 2276 1168 net.exe 42 PID 1168 wrote to memory of 2276 1168 net.exe 42 PID 2152 wrote to memory of 2532 2152 cmd.exe 43 PID 2152 wrote to memory of 2532 2152 cmd.exe 43 PID 2152 wrote to memory of 2532 2152 cmd.exe 43 PID 2152 wrote to memory of 2532 2152 cmd.exe 43 PID 2152 wrote to memory of 2632 2152 cmd.exe 45 PID 2152 wrote to memory of 2632 2152 cmd.exe 45 PID 2152 wrote to memory of 2632 2152 cmd.exe 45 PID 2152 wrote to memory of 2632 2152 cmd.exe 45 PID 2152 wrote to memory of 1956 2152 cmd.exe 47 PID 2152 wrote to memory of 1956 2152 cmd.exe 47 PID 2152 wrote to memory of 1956 2152 cmd.exe 47 PID 2152 wrote to memory of 1956 2152 cmd.exe 47 PID 2152 wrote to memory of 1776 2152 cmd.exe 48 PID 2152 wrote to memory of 1776 2152 cmd.exe 48 PID 2152 wrote to memory of 1776 2152 cmd.exe 48 PID 2152 wrote to memory of 1776 2152 cmd.exe 48 PID 2152 wrote to memory of 2908 2152 cmd.exe 49 PID 2152 wrote to memory of 2908 2152 cmd.exe 49 PID 2152 wrote to memory of 2908 2152 cmd.exe 49 PID 2152 wrote to memory of 2908 2152 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe"C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exeC:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c "C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\ghi.bat"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt6⤵
- System Location Discovery: System Language Discovery
PID:2164
-
-
C:\Windows\SysWOW64\chcp.comchcp6⤵
- System Location Discovery: System Language Discovery
PID:1404
-
-
C:\Windows\SysWOW64\net.exenet user6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user7⤵
- System Location Discovery: System Language Discovery
PID:2316
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators7⤵
- System Location Discovery: System Language Discovery
PID:2276
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo6⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:2632
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"6⤵
- System Location Discovery: System Language Discovery
PID:1956
-
-
C:\Windows\SysWOW64\find.exefind "REG_"6⤵
- System Location Discovery: System Language Discovery
PID:1776
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office6⤵
- System Location Discovery: System Language Discovery
PID:2908
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo6⤵
- System Location Discovery: System Language Discovery
PID:660
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo6⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo6⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo6⤵
- System Location Discovery: System Language Discovery
PID:852
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo6⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo6⤵
- System Location Discovery: System Language Discovery
PID:2144
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:296
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano6⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a6⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print7⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print8⤵
- System Location Discovery: System Language Discovery
PID:1112
-
-
-
-
C:\Windows\SysWOW64\net.exenet start6⤵
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start7⤵
- System Location Discovery: System Language Discovery
PID:1932
-
-
-
C:\Windows\SysWOW64\net.exenet use6⤵
- System Location Discovery: System Language Discovery
PID:1408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"6⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
C:\Windows\SysWOW64\net.exenet share6⤵
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share7⤵
- System Location Discovery: System Language Discovery
PID:1000
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain6⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1992
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "6⤵
- System Location Discovery: System Language Discovery
PID:960
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"6⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "6⤵
- System Location Discovery: System Language Discovery
PID:3040
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"6⤵
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "6⤵
- System Location Discovery: System Language Discovery
PID:1684
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"6⤵
- System Location Discovery: System Language Discovery
PID:1132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "6⤵
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"6⤵
- System Location Discovery: System Language Discovery
PID:2904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "6⤵
- System Location Discovery: System Language Discovery
PID:1752
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"6⤵
- System Location Discovery: System Language Discovery
PID:2452
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "6⤵
- System Location Discovery: System Language Discovery
PID:1748
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"6⤵
- System Location Discovery: System Language Discovery
PID:1732
-
-
C:\Windows\SysWOW64\net.exenet view /domain:"WORKGROUP"6⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\workgrp.tmp "6⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
C:\Windows\SysWOW64\find.exefind "\\"6⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\SysWOW64\net.exenet view \\ZQABOPWE6⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:2932
-
-
C:\Windows\SysWOW64\net.exenet view \\ZQABOPWE6⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:2344
-
-
C:\Windows\SysWOW64\find.exefind "Disk"6⤵
- System Location Discovery: System Language Discovery
PID:340
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 ZQABOPWE6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1056
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "Pinging Reply Request Unknown"6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1984
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
1Remote System Discovery
2System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5d201284d6afc7144777cb22959679f8a
SHA167de29a0c0ee94dbe794ec2b31f3885961cadf8d
SHA256c201f4be0f5a1c560e581a79d38c99d520f22304247651e858404af314d9515d
SHA512bafd4d49c66b4f569c9e987d1305e6628dcf63d2964597268900cc45c662bf4ceab94a863a729c2f82a40f53d27779e5086f08da1436342fae1c4fc13e1ec2e9
-
Filesize
24.9MB
MD5e8e0931ef541816dc7aefa60a4bbc5ca
SHA15f98a9f99be4248900c73378e2374f077b013584
SHA256a93f4af109bdba7184d0342c4297ca10798248477b271a7edb68dcfa2e5075d7
SHA5128337e604573a645028ab45dfdf801478e92b1ed137de6018321c04a74ebfbe5f826268bc021ab340298f003e9640fbca419b21e6598f1e75938d96224f06f872
-
Filesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
Filesize
3KB
MD58c6085bd713786647b4b4d9d14a14f0f
SHA16f6d5ce899e8ce5ea36662793ad768f7daf466e5
SHA256a805b09be4a2503d73876264fa7a489e1efee619bbf7197c4ee8b084fbb1afbc
SHA512c5e1a18fb945015746dcff969ea5dfe91497cdc756e3d8193518645ce7cb51de816338ba6a514f285bc1794d84e416b76485222e49409e5554a416ca29c5de10
-
Filesize
153B
MD5b256c8a481b065860c2812e742f50250
SHA151ddf02764fb12d88822450e8a27f9deac85fe54
SHA256b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12
SHA512f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360
-
Filesize
64B
MD5e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA2568bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e
-
Filesize
72B
MD559f2768506355d8bc50979f6d64ded26
SHA1b2d315b3857bec8335c526a08d08d6a1b5f5c151
SHA2567f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569
SHA512e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028
-
Filesize
234B
MD59f514a9a9be8c276f087b96c5672793f
SHA11246bb423354f1d2933b6ba349afc4cdc9081d7a
SHA2561bad6d563fe359f1efab71d957041f1dc000b35b324a77e60e0d5333b3790107
SHA5128fee0279266c8e27a3d4970881bad1767f7a7fd2ee7424b2bee5c5e2d2298f17788fd55ccbe874c076772c25f8a787b74b5c9256d6ed189ba77e7112640d7f1e
-
Filesize
43B
MD5ede1840193bbfcde47e2c985ca40fbfc
SHA1d243a17049d1c43c6acc5532ccac339c756b54bc
SHA2566b5d4ee34ccd135ff6f2ae63118e3ed46223b584be51ea34bb6d225b48777df9
SHA512bc096f3ec15c587871f03148a86c663d9480887eedc71d57d7bde18fa07dc094e991f79805b10ab5338d5d9926e1919d466c1d1dbf20eb0f8cfdd53cb2a9955e
-
Filesize
15KB
MD55f903513ae55f527e57f4d2e6bab7abc
SHA1749c9c7039a4f741a31cd82ea3e59f9e68a6cd10
SHA2566caab0d7e574a4a3838f6d13e9ad44c20b2feb0ffbbfbf7e01eb14aeede6fe12
SHA512896042b9fc47d6c61e9d3932340f7dcbb12395ebfcdcd48d0d46146d6455b7e6b5e669038e0ae0b642f40d86b82e7384e00ee9b87c26b05cfa42ab61bdfc4c3d
-
Filesize
74B
MD59a183fa5decb55ccafeeef2bc2c2338a
SHA1048c8b157d61f5364c678a966045224b70b355d4
SHA2566979a9d011a33426a574e41ccf15560e00af3c6975a48586fea43c3c9ac3ca2e
SHA512b3aa00454b915928844af1a7836f2c088a202aa0ae3604cc511c5571ca20a4ed5c2a4c907f3e4a0d1dd8b6b329ce653a8f96d2c83ce91f64a899d3006f845e4a
-
Filesize
252KB
MD598b94959187e33ef4fdb4116cc2aa1e2
SHA14df59ac87cfe2d6b88490452e5eb8abfc16ee167
SHA2565af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35
SHA51232bfa406fba20266d90021be706d4691d9f9725a761c4ff57fd0f490bfd3e9cb3a6f929f1a143e0ca83931f3335960d18c4b7ca98a4a1a538e4ab5145c244ab8