Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 19:21
Static task
static1
Behavioral task
behavioral1
Sample
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
-
Size
947KB
-
MD5
e5ac6f9f85c0e55f0d164afa56a45890
-
SHA1
06f0eccf410176d514b86b02f602699d58d56b5a
-
SHA256
f173cd6a86e6aaf1ebaddd4e14b8933516246d1bb320ddbe7c221895bb9281b6
-
SHA512
7d067b3a1f13057588c6cbb751b9ce16fd4d444af130780d9ade2ded97ba43160a0bdf70eae33459483d73e737f8e99f096053b8b7213192ef08c5bbb3f2a075
-
SSDEEP
12288:O1UVGInYjg53VLFvth+w7GodQpbelTw4cMb9eQ1kPHSlFi48soHo:O1UVGInYj6vv/Nv+kTJ9kQ1SyLoH
Malware Config
Signatures
-
Detect ZGRat V1 33 IoCs
Processes:
resource yara_rule behavioral1/memory/1888-152-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-153-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-155-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-167-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-165-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-163-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-161-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-159-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-157-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-169-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-177-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-175-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-173-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-171-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-187-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-191-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-205-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-215-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-213-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-211-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-209-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-207-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-203-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-201-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-199-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-197-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-195-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-193-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-189-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-185-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-183-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-181-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 behavioral1/memory/1888-179-0x00000000054E0000-0x0000000005556000-memory.dmp family_zgrat_v1 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exedescription pid process target process PID 1888 set thread context of 2492 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exee5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exepid process 3020 powershell.exe 1712 powershell.exe 1644 powershell.exe 1864 powershell.exe 1648 powershell.exe 2748 powershell.exe 268 powershell.exe 2368 powershell.exe 1748 powershell.exe 2248 powershell.exe 1516 powershell.exe 2024 powershell.exe 2460 powershell.exe 1352 powershell.exe 992 powershell.exe 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3020 powershell.exe Token: SeIncreaseQuotaPrivilege 3020 powershell.exe Token: SeSecurityPrivilege 3020 powershell.exe Token: SeTakeOwnershipPrivilege 3020 powershell.exe Token: SeLoadDriverPrivilege 3020 powershell.exe Token: SeSystemProfilePrivilege 3020 powershell.exe Token: SeSystemtimePrivilege 3020 powershell.exe Token: SeProfSingleProcessPrivilege 3020 powershell.exe Token: SeIncBasePriorityPrivilege 3020 powershell.exe Token: SeCreatePagefilePrivilege 3020 powershell.exe Token: SeBackupPrivilege 3020 powershell.exe Token: SeRestorePrivilege 3020 powershell.exe Token: SeShutdownPrivilege 3020 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeSystemEnvironmentPrivilege 3020 powershell.exe Token: SeRemoteShutdownPrivilege 3020 powershell.exe Token: SeUndockPrivilege 3020 powershell.exe Token: SeManageVolumePrivilege 3020 powershell.exe Token: 33 3020 powershell.exe Token: 34 3020 powershell.exe Token: 35 3020 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeIncreaseQuotaPrivilege 1712 powershell.exe Token: SeSecurityPrivilege 1712 powershell.exe Token: SeTakeOwnershipPrivilege 1712 powershell.exe Token: SeLoadDriverPrivilege 1712 powershell.exe Token: SeSystemProfilePrivilege 1712 powershell.exe Token: SeSystemtimePrivilege 1712 powershell.exe Token: SeProfSingleProcessPrivilege 1712 powershell.exe Token: SeIncBasePriorityPrivilege 1712 powershell.exe Token: SeCreatePagefilePrivilege 1712 powershell.exe Token: SeBackupPrivilege 1712 powershell.exe Token: SeRestorePrivilege 1712 powershell.exe Token: SeShutdownPrivilege 1712 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeSystemEnvironmentPrivilege 1712 powershell.exe Token: SeRemoteShutdownPrivilege 1712 powershell.exe Token: SeUndockPrivilege 1712 powershell.exe Token: SeManageVolumePrivilege 1712 powershell.exe Token: 33 1712 powershell.exe Token: 34 1712 powershell.exe Token: 35 1712 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeIncreaseQuotaPrivilege 1644 powershell.exe Token: SeSecurityPrivilege 1644 powershell.exe Token: SeTakeOwnershipPrivilege 1644 powershell.exe Token: SeLoadDriverPrivilege 1644 powershell.exe Token: SeSystemProfilePrivilege 1644 powershell.exe Token: SeSystemtimePrivilege 1644 powershell.exe Token: SeProfSingleProcessPrivilege 1644 powershell.exe Token: SeIncBasePriorityPrivilege 1644 powershell.exe Token: SeCreatePagefilePrivilege 1644 powershell.exe Token: SeBackupPrivilege 1644 powershell.exe Token: SeRestorePrivilege 1644 powershell.exe Token: SeShutdownPrivilege 1644 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeSystemEnvironmentPrivilege 1644 powershell.exe Token: SeRemoteShutdownPrivilege 1644 powershell.exe Token: SeUndockPrivilege 1644 powershell.exe Token: SeManageVolumePrivilege 1644 powershell.exe Token: 33 1644 powershell.exe Token: 34 1644 powershell.exe Token: 35 1644 powershell.exe Token: SeDebugPrivilege 1864 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exedescription pid process target process PID 1888 wrote to memory of 3020 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 3020 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 3020 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 3020 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1712 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1712 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1712 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1712 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1644 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1644 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1644 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1644 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1864 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1864 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1864 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1864 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1648 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1648 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1648 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1648 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2748 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2748 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2748 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2748 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 268 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 268 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 268 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 268 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2368 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2368 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2368 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2368 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1748 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1748 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1748 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1748 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2248 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2248 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2248 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2248 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1516 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1516 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1516 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1516 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2024 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2024 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2024 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2024 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2460 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2460 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2460 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2460 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1352 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1352 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1352 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 1352 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 992 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 992 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 992 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 992 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 1888 wrote to memory of 2492 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe PID 1888 wrote to memory of 2492 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe PID 1888 wrote to memory of 2492 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe PID 1888 wrote to memory of 2492 1888 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe -
outlook_office_path 1 IoCs
Processes:
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe -
outlook_win_path 1 IoCs
Processes:
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:268
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1352
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5db646c29325a13637d357b458b12684d
SHA14d386717ffc95cc7effd21ad57603c54b0b563bc
SHA2567c360adb4296af585a387c0b2b897801b08aca67ddd5f16b45fca92d0d2e3d74
SHA512b79c06e142f9844815f70b3a0bc9a2c49db3536bb092eeaf5bc2d4d18afa6813d95eac9e92ae49457614384deb192f9571f448b15feb9323db4eae960ed6bf8e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5af7135eb3edcf89dd1502dfc2cbc6b0a
SHA15fedf75e6e424ea57ec9fcbe72af23acefc3a7ca
SHA2562f684760b996b855dd76bbd796b59b8b0c78d8d99264009bcb1e2dc6e774daf6
SHA512ec90eca8e55877c66342eb40e76b9afa462f130171d967e77c4ea116d3c5f6039669505d1ef5f02031f86a7ae4fc6981e55b40b89703b7840c7ac77ecd974050
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e