Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:21
Static task
static1
Behavioral task
behavioral1
Sample
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
-
Size
947KB
-
MD5
e5ac6f9f85c0e55f0d164afa56a45890
-
SHA1
06f0eccf410176d514b86b02f602699d58d56b5a
-
SHA256
f173cd6a86e6aaf1ebaddd4e14b8933516246d1bb320ddbe7c221895bb9281b6
-
SHA512
7d067b3a1f13057588c6cbb751b9ce16fd4d444af130780d9ade2ded97ba43160a0bdf70eae33459483d73e737f8e99f096053b8b7213192ef08c5bbb3f2a075
-
SSDEEP
12288:O1UVGInYjg53VLFvth+w7GodQpbelTw4cMb9eQ1kPHSlFi48soHo:O1UVGInYj6vv/Nv+kTJ9kQ1SyLoH
Malware Config
Signatures
-
Detect ZGRat V1 33 IoCs
Processes:
resource yara_rule behavioral2/memory/2756-245-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-246-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-248-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-250-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-252-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-254-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-256-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-258-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-262-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-260-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-264-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-266-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-272-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-270-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-276-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-280-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-282-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-278-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-274-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-284-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-268-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-292-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-300-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-298-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-296-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-294-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-290-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-288-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-286-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-302-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-306-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-308-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 behavioral2/memory/2756-304-0x0000000001080000-0x00000000010F6000-memory.dmp family_zgrat_v1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exedescription pid process target process PID 2756 set thread context of 5052 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exee5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exepid process 4596 powershell.exe 4596 powershell.exe 3300 powershell.exe 3300 powershell.exe 3244 powershell.exe 3244 powershell.exe 4924 powershell.exe 4924 powershell.exe 5568 powershell.exe 5568 powershell.exe 2796 powershell.exe 2796 powershell.exe 1964 powershell.exe 1964 powershell.exe 4348 powershell.exe 4348 powershell.exe 5112 powershell.exe 5112 powershell.exe 5336 powershell.exe 5336 powershell.exe 4032 powershell.exe 4032 powershell.exe 4360 powershell.exe 4360 powershell.exe 4548 powershell.exe 4548 powershell.exe 5756 powershell.exe 5756 powershell.exe 5724 powershell.exe 5724 powershell.exe 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4596 powershell.exe Token: SeIncreaseQuotaPrivilege 4596 powershell.exe Token: SeSecurityPrivilege 4596 powershell.exe Token: SeTakeOwnershipPrivilege 4596 powershell.exe Token: SeLoadDriverPrivilege 4596 powershell.exe Token: SeSystemProfilePrivilege 4596 powershell.exe Token: SeSystemtimePrivilege 4596 powershell.exe Token: SeProfSingleProcessPrivilege 4596 powershell.exe Token: SeIncBasePriorityPrivilege 4596 powershell.exe Token: SeCreatePagefilePrivilege 4596 powershell.exe Token: SeBackupPrivilege 4596 powershell.exe Token: SeRestorePrivilege 4596 powershell.exe Token: SeShutdownPrivilege 4596 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeSystemEnvironmentPrivilege 4596 powershell.exe Token: SeRemoteShutdownPrivilege 4596 powershell.exe Token: SeUndockPrivilege 4596 powershell.exe Token: SeManageVolumePrivilege 4596 powershell.exe Token: 33 4596 powershell.exe Token: 34 4596 powershell.exe Token: 35 4596 powershell.exe Token: 36 4596 powershell.exe Token: SeIncreaseQuotaPrivilege 4596 powershell.exe Token: SeSecurityPrivilege 4596 powershell.exe Token: SeTakeOwnershipPrivilege 4596 powershell.exe Token: SeLoadDriverPrivilege 4596 powershell.exe Token: SeSystemProfilePrivilege 4596 powershell.exe Token: SeSystemtimePrivilege 4596 powershell.exe Token: SeProfSingleProcessPrivilege 4596 powershell.exe Token: SeIncBasePriorityPrivilege 4596 powershell.exe Token: SeCreatePagefilePrivilege 4596 powershell.exe Token: SeBackupPrivilege 4596 powershell.exe Token: SeRestorePrivilege 4596 powershell.exe Token: SeShutdownPrivilege 4596 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeSystemEnvironmentPrivilege 4596 powershell.exe Token: SeRemoteShutdownPrivilege 4596 powershell.exe Token: SeUndockPrivilege 4596 powershell.exe Token: SeManageVolumePrivilege 4596 powershell.exe Token: 33 4596 powershell.exe Token: 34 4596 powershell.exe Token: 35 4596 powershell.exe Token: 36 4596 powershell.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeIncreaseQuotaPrivilege 3300 powershell.exe Token: SeSecurityPrivilege 3300 powershell.exe Token: SeTakeOwnershipPrivilege 3300 powershell.exe Token: SeLoadDriverPrivilege 3300 powershell.exe Token: SeSystemProfilePrivilege 3300 powershell.exe Token: SeSystemtimePrivilege 3300 powershell.exe Token: SeProfSingleProcessPrivilege 3300 powershell.exe Token: SeIncBasePriorityPrivilege 3300 powershell.exe Token: SeCreatePagefilePrivilege 3300 powershell.exe Token: SeBackupPrivilege 3300 powershell.exe Token: SeRestorePrivilege 3300 powershell.exe Token: SeShutdownPrivilege 3300 powershell.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeSystemEnvironmentPrivilege 3300 powershell.exe Token: SeRemoteShutdownPrivilege 3300 powershell.exe Token: SeUndockPrivilege 3300 powershell.exe Token: SeManageVolumePrivilege 3300 powershell.exe Token: 33 3300 powershell.exe Token: 34 3300 powershell.exe Token: 35 3300 powershell.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exedescription pid process target process PID 2756 wrote to memory of 4596 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4596 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4596 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 3300 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 3300 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 3300 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 3244 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 3244 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 3244 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4924 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4924 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4924 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5568 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5568 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5568 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 2796 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 2796 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 2796 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 1964 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 1964 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 1964 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4348 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4348 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4348 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5112 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5112 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5112 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5336 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5336 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5336 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4032 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4032 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4032 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4360 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4360 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4360 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4548 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4548 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 4548 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5756 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5756 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5756 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5724 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5724 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5724 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe powershell.exe PID 2756 wrote to memory of 5052 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe PID 2756 wrote to memory of 5052 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe PID 2756 wrote to memory of 5052 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe PID 2756 wrote to memory of 5052 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe PID 2756 wrote to memory of 5052 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe PID 2756 wrote to memory of 5052 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe PID 2756 wrote to memory of 5052 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe PID 2756 wrote to memory of 5052 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe PID 2756 wrote to memory of 5052 2756 e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe -
outlook_office_path 1 IoCs
Processes:
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe -
outlook_win_path 1 IoCs
Processes:
e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3244
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5568
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4348
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5336
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4360
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5756
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5724
-
-
C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:5052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50774a05ce5ee4c1af7097353c9296c62
SHA1658ff96b111c21c39d7ad5f510fb72f9762114bb
SHA256d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4
SHA512104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994
-
Filesize
20KB
MD54a86614eff96e1dce6cf80d4aa2fe6cb
SHA130a595c7289a1d9993069babca6d45297849589f
SHA256ac28dc2d4add74af332d7685315bd80fb3f0c7aed0ececc3af3f3b7943051a03
SHA512304846309b3815dbb5be8100e1384a058160cf7a0bf70c64ecc04ddbf569831df75788d176b8109ac9e7a7fcab25c57860fa4b43d3430a1ada6ae6bebf451115
-
Filesize
19KB
MD5c9e381c2ea62fd0d99ddc8811747aa6b
SHA1990bf235b09e469222452d013f36b398623fc808
SHA25671cc857219a854f17e5ed9d136c622c91c9d3d215db03500aa10ce3c2bbe091a
SHA512fc28a18115bf26e566723483ad30971a2d2f626115d1851178bd2cf099ebdd4b439b0084ff1e128f6685fb58d090340928883ec45254eb44bae81682cd32d15d
-
Filesize
19KB
MD5e705eeecfa47334eae07762ca0bd745c
SHA17592483b5ec123718f489aba7f1eec38f26a09be
SHA2566a2cbf6a197f0c647155445748d65ba459bda5643193c3645cc597281502e919
SHA5122a0253e95f0c06ae714295c8576e8475a262399610fd535d325484e64dae52612b6cd631a43e5114577a1bdd81306b94644991c4bc95281dfbf7c4602cfa1bc1
-
Filesize
20KB
MD5052afd729e3ade04a74b40c992b9faa2
SHA1d102b02b580eb55dbba12d46be17fe8751f474f4
SHA25604470335d2e4421304c2855af53594bfc3ed29b1433e13b5def47eba8b7f80b5
SHA512346b7e013fff7ca90e5a679567d58dd77d1c9b2605ffc3ec06a8c76773cfc3337bc65e1401922ac08c9281c67eb7af4dcdaa6d41bdf9feb08fd92d78e64e74c1
-
Filesize
19KB
MD540711b5578ceeb33e67aa16d735beafe
SHA13fc84b1e4f7dd9f374b295eed43d36b0d69bf934
SHA2565b1f0359970f13ee055be281cb1cc2ca91249ce871477fa9ccfffde9446c437b
SHA512c18bc0997593d29d29593687ef5e5cfcb5e79500c8e4c17423a9b97e6166794bdc3f6b9b14e4dc04ac1286a7eb2e0843980c6409f64e4dd7461a6dbf7c7e9cf7
-
Filesize
20KB
MD5e6cab0fc4084e2777aa79d2ef3ba4e2e
SHA19c44779c71290ce73f97b7d59deb884bc017f4b1
SHA256040743ac9d0bb5f608a65d686843ebae99744cbce1d4952efa2caa1ce543fd1d
SHA51247a90e2d864297c871a2a14679ae355dbdd840b9174d1a490c7b53bdfd7dc76cf8d1d344628dff74ecf52768ff50084cad85917e2c1a3265a5515d231ec182f1
-
Filesize
19KB
MD53d31fb6fd19983effb8c20582ab2b113
SHA17ec20793c205f84e8fdf642f46a435b04496f8c9
SHA256712791ad83a07ffe320229e85215eada5bd946ceadcc3b2f412b042a9df04d4d
SHA512af531d543676ada558bfc71cade1319e3ae38efdfc2f51eb2a50ec3f2b28f8c43ff9f01358defd039ecce2be5be71221361e860c84c64e3f1a7bc51cccd0f4bd
-
Filesize
20KB
MD55cc3ab93f8226b33ff024aaeeea340e8
SHA1f88f007e9f2636abf699ad94cb4dd3a40e644248
SHA25625b550daf26a81e417b1bf09b4980b917169778afb8c262d45b8a8480de167ef
SHA5122420548f3feeb95a0e41dcb07d8c97ab56531ba5c864fc29a82adf9c020414e1aa3ce054c39134112d100ff10e329fc446d565b540bfada55652063aac3f10d8
-
Filesize
19KB
MD501df767c4b8baa3303c8a7a6d1be52e6
SHA1173ecec865fcbc23d8a66a7162464b545f1b880d
SHA256667d6f490736d03b1b8895ddc92feecc6022e3385da97f4782c18034ddee7c3f
SHA5121385cf772f8fa07980a5475a998470638b9a9d48ee91ce5d99d0186a154c806cfa123fc9a9b34fc34b5a0ad68a40e049d188516bf1445bb98c58721c04341ecf
-
Filesize
19KB
MD5446f94627280ef58ecb75e196efebfe2
SHA16ad40707c91cc4d27207f50ccba84219aae1b655
SHA25602f1e147baa61c9beb15fd2df4cb8158c44099bd130ae981b4ca46e0e649114e
SHA512cf5e8438995a7ad1e4688027eac38faafb9d49746b64be703f87d084d2e7140364ea0cda575ee38fecc02b75b8e7ab1269d472700428f7e36c2e440d95be9104
-
Filesize
19KB
MD5f1d55a85fae52e122bfa26132839be01
SHA1ac3c60117134736e34418f5ff514235a1be83dd8
SHA256ab1ec8854fc718ac871ab4633b90c8746b1fd9590b2a1ad30c8960881d6c0ea6
SHA512f153f546d2b88514ab2c5ebc61b6b03a695dc17de57bc23353a9769af6b9827b1672c2b7e76497c2d99a3a23c8939598ec9cbb7647297014510c4ef7a60c47f8
-
Filesize
20KB
MD5ff004e67f4aaa0cec3d77e62d046cd80
SHA1aad2787ce4074dce1633ce845ebb2c7e225d0e74
SHA256c3f4d3ac595376d930d31b377987a408b63ba01a2fc684bcc8cd78cf31b4edf8
SHA51213b9c789b94999e8a5071d90a9ad8366b44fbc55f58fecc60a7e07fcdb23c9d799cd0b4d48c146bb1de6e5f5e53f848d46711bb42e7bf087bbb5c7a6f80b3870
-
Filesize
19KB
MD5dfb365dc3d78ccae5fb81ddd39e028c9
SHA196439ec931581ed3530eadb07e1b75d66018aa1e
SHA25610cb4adc19ad03031254033ce4d939bc7228fe12afd0d8ef1f86d96f10a4fff9
SHA51279b1091278e5c176c3ee80a25fd226e25ca6f94b95c7a2846fbd4eb7e53f9119c5374d37fa93b6d99e36358470fec4fa309ff9438092fafc8b050601e95d2398
-
Filesize
20KB
MD574c3e05f167c617ecc87c4491e37ce80
SHA13340cc3fcc84819f5a8815bf207037251b161584
SHA2564a063a8cc0aaeab204d3358c3b1a942126e64e7d17599c9ebc17ec66b340b072
SHA51231751f33c5c5140940f53a02b88c6fd1698e5085b29b150996428783d86367e5f434ab3b4aab1d40f4ee547c0f7d743eea25a39595ea646a56a229c5246ed929
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82