Analysis Overview
SHA256
f173cd6a86e6aaf1ebaddd4e14b8933516246d1bb320ddbe7c221895bb9281b6
Threat Level: Known bad
The file e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ZGRat
Detect ZGRat V1
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:21
Reported
2024-04-07 19:23
Platform
win7-20240215-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1888 set thread context of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Google.com | udp |
| TR | 185.227.139.18:80 | tcp |
Files
memory/1888-0-0x00000000008A0000-0x0000000000992000-memory.dmp
memory/1888-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/1888-2-0x0000000004C60000-0x0000000004CA0000-memory.dmp
memory/1888-3-0x00000000004C0000-0x0000000000516000-memory.dmp
memory/1888-4-0x0000000000850000-0x00000000008A6000-memory.dmp
memory/1888-5-0x0000000000B30000-0x0000000000B86000-memory.dmp
memory/3020-8-0x000000006F8D0000-0x000000006FE7B000-memory.dmp
memory/3020-9-0x00000000028F0000-0x0000000002930000-memory.dmp
memory/3020-10-0x000000006F8D0000-0x000000006FE7B000-memory.dmp
memory/3020-11-0x000000006F8D0000-0x000000006FE7B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | af7135eb3edcf89dd1502dfc2cbc6b0a |
| SHA1 | 5fedf75e6e424ea57ec9fcbe72af23acefc3a7ca |
| SHA256 | 2f684760b996b855dd76bbd796b59b8b0c78d8d99264009bcb1e2dc6e774daf6 |
| SHA512 | ec90eca8e55877c66342eb40e76b9afa462f130171d967e77c4ea116d3c5f6039669505d1ef5f02031f86a7ae4fc6981e55b40b89703b7840c7ac77ecd974050 |
memory/1712-17-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/1712-18-0x0000000002910000-0x0000000002950000-memory.dmp
memory/1712-19-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/1712-20-0x0000000002910000-0x0000000002950000-memory.dmp
memory/1712-21-0x0000000002910000-0x0000000002950000-memory.dmp
memory/1888-22-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/1712-23-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/1644-29-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/1644-30-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/1644-31-0x0000000002900000-0x0000000002940000-memory.dmp
memory/1644-32-0x0000000002900000-0x0000000002940000-memory.dmp
memory/1888-33-0x0000000004C60000-0x0000000004CA0000-memory.dmp
memory/1644-34-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/1864-40-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/1864-41-0x0000000002A60000-0x0000000002AA0000-memory.dmp
memory/1864-42-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/1864-44-0x0000000002A60000-0x0000000002AA0000-memory.dmp
memory/1864-43-0x0000000002A60000-0x0000000002AA0000-memory.dmp
memory/1864-45-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/1648-51-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/1648-52-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/1648-55-0x0000000002B00000-0x0000000002B40000-memory.dmp
memory/1648-54-0x0000000002B00000-0x0000000002B40000-memory.dmp
memory/1648-53-0x0000000002B00000-0x0000000002B40000-memory.dmp
memory/1648-56-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/2748-62-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/2748-63-0x0000000001F00000-0x0000000001F40000-memory.dmp
memory/2748-64-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/2748-65-0x0000000001F00000-0x0000000001F40000-memory.dmp
memory/2748-66-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/268-73-0x0000000002920000-0x0000000002960000-memory.dmp
memory/268-72-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/268-74-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/268-75-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/2368-81-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/2368-82-0x0000000002B10000-0x0000000002B50000-memory.dmp
memory/2368-83-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/2368-84-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/1748-90-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/1748-91-0x0000000002820000-0x0000000002860000-memory.dmp
memory/1748-92-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/1748-93-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/2248-99-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/2248-100-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/2248-101-0x000000006F620000-0x000000006FBCB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | db646c29325a13637d357b458b12684d |
| SHA1 | 4d386717ffc95cc7effd21ad57603c54b0b563bc |
| SHA256 | 7c360adb4296af585a387c0b2b897801b08aca67ddd5f16b45fca92d0d2e3d74 |
| SHA512 | b79c06e142f9844815f70b3a0bc9a2c49db3536bb092eeaf5bc2d4d18afa6813d95eac9e92ae49457614384deb192f9571f448b15feb9323db4eae960ed6bf8e |
memory/1516-107-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/1516-108-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/1516-109-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/1516-110-0x0000000002720000-0x0000000002760000-memory.dmp
memory/1516-111-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
memory/2024-117-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/2024-118-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/2024-119-0x000000006F620000-0x000000006FBCB000-memory.dmp
memory/2460-125-0x000000006F8A0000-0x000000006FE4B000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1888-152-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-153-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-155-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-167-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-165-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-163-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-161-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-159-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-157-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-169-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-177-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-175-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-173-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-171-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-187-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-191-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-205-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-215-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-213-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-211-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-209-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-207-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-203-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-201-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-199-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-197-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-195-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-193-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-189-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-185-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-183-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-181-0x00000000054E0000-0x0000000005556000-memory.dmp
memory/1888-179-0x00000000054E0000-0x0000000005556000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:21
Reported
2024-04-07 19:23
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2756 set thread context of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Google.com
C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\e5ac6f9f85c0e55f0d164afa56a45890_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Google.com | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| TR | 185.227.139.18:80 | tcp |
Files
memory/2756-1-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/2756-0-0x00000000006D0000-0x00000000007C2000-memory.dmp
memory/2756-2-0x0000000005820000-0x0000000005DC4000-memory.dmp
memory/2756-3-0x0000000005180000-0x0000000005212000-memory.dmp
memory/2756-4-0x0000000005440000-0x0000000005450000-memory.dmp
memory/2756-5-0x0000000005230000-0x000000000523A000-memory.dmp
memory/2756-6-0x0000000005270000-0x00000000052C6000-memory.dmp
memory/4596-7-0x00000000023C0000-0x00000000023F6000-memory.dmp
memory/4596-8-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4596-10-0x0000000004F80000-0x00000000055A8000-memory.dmp
memory/4596-11-0x0000000004940000-0x0000000004950000-memory.dmp
memory/4596-9-0x0000000004940000-0x0000000004950000-memory.dmp
memory/4596-12-0x0000000004D20000-0x0000000004D42000-memory.dmp
memory/4596-13-0x0000000005620000-0x0000000005686000-memory.dmp
memory/4596-14-0x0000000005690000-0x00000000056F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aveafxkp.g32.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4596-24-0x0000000005800000-0x0000000005B54000-memory.dmp
memory/4596-25-0x0000000005CC0000-0x0000000005CDE000-memory.dmp
memory/4596-26-0x0000000005D10000-0x0000000005D5C000-memory.dmp
memory/4596-27-0x0000000006220000-0x00000000062B6000-memory.dmp
memory/4596-28-0x00000000061A0000-0x00000000061BA000-memory.dmp
memory/4596-29-0x00000000061F0000-0x0000000006212000-memory.dmp
memory/4596-30-0x0000000007F40000-0x00000000085BA000-memory.dmp
memory/4596-33-0x0000000074D10000-0x00000000754C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 0774a05ce5ee4c1af7097353c9296c62 |
| SHA1 | 658ff96b111c21c39d7ad5f510fb72f9762114bb |
| SHA256 | d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4 |
| SHA512 | 104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994 |
memory/3300-35-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/3300-36-0x0000000002660000-0x0000000002670000-memory.dmp
memory/3300-46-0x0000000005A40000-0x0000000005D94000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f1d55a85fae52e122bfa26132839be01 |
| SHA1 | ac3c60117134736e34418f5ff514235a1be83dd8 |
| SHA256 | ab1ec8854fc718ac871ab4633b90c8746b1fd9590b2a1ad30c8960881d6c0ea6 |
| SHA512 | f153f546d2b88514ab2c5ebc61b6b03a695dc17de57bc23353a9769af6b9827b1672c2b7e76497c2d99a3a23c8939598ec9cbb7647297014510c4ef7a60c47f8 |
memory/2756-48-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/2756-49-0x0000000005440000-0x0000000005450000-memory.dmp
memory/3300-51-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/3244-52-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/3244-54-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/3244-53-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/3244-60-0x0000000006030000-0x0000000006384000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ff004e67f4aaa0cec3d77e62d046cd80 |
| SHA1 | aad2787ce4074dce1633ce845ebb2c7e225d0e74 |
| SHA256 | c3f4d3ac595376d930d31b377987a408b63ba01a2fc684bcc8cd78cf31b4edf8 |
| SHA512 | 13b9c789b94999e8a5071d90a9ad8366b44fbc55f58fecc60a7e07fcdb23c9d799cd0b4d48c146bb1de6e5f5e53f848d46711bb42e7bf087bbb5c7a6f80b3870 |
memory/3244-67-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4924-68-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4924-69-0x0000000002950000-0x0000000002960000-memory.dmp
memory/4924-79-0x00000000059F0000-0x0000000005D44000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dfb365dc3d78ccae5fb81ddd39e028c9 |
| SHA1 | 96439ec931581ed3530eadb07e1b75d66018aa1e |
| SHA256 | 10cb4adc19ad03031254033ce4d939bc7228fe12afd0d8ef1f86d96f10a4fff9 |
| SHA512 | 79b1091278e5c176c3ee80a25fd226e25ca6f94b95c7a2846fbd4eb7e53f9119c5374d37fa93b6d99e36358470fec4fa309ff9438092fafc8b050601e95d2398 |
memory/4924-82-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/5568-83-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/5568-84-0x00000000009B0000-0x00000000009C0000-memory.dmp
memory/5568-85-0x00000000009B0000-0x00000000009C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 74c3e05f167c617ecc87c4491e37ce80 |
| SHA1 | 3340cc3fcc84819f5a8815bf207037251b161584 |
| SHA256 | 4a063a8cc0aaeab204d3358c3b1a942126e64e7d17599c9ebc17ec66b340b072 |
| SHA512 | 31751f33c5c5140940f53a02b88c6fd1698e5085b29b150996428783d86367e5f434ab3b4aab1d40f4ee547c0f7d743eea25a39595ea646a56a229c5246ed929 |
memory/5568-97-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/2796-100-0x0000000005310000-0x0000000005320000-memory.dmp
memory/2796-99-0x0000000005310000-0x0000000005320000-memory.dmp
memory/2796-98-0x0000000074D10000-0x00000000754C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a86614eff96e1dce6cf80d4aa2fe6cb |
| SHA1 | 30a595c7289a1d9993069babca6d45297849589f |
| SHA256 | ac28dc2d4add74af332d7685315bd80fb3f0c7aed0ececc3af3f3b7943051a03 |
| SHA512 | 304846309b3815dbb5be8100e1384a058160cf7a0bf70c64ecc04ddbf569831df75788d176b8109ac9e7a7fcab25c57860fa4b43d3430a1ada6ae6bebf451115 |
memory/2796-112-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/1964-113-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/1964-115-0x0000000002430000-0x0000000002440000-memory.dmp
memory/1964-114-0x0000000002430000-0x0000000002440000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c9e381c2ea62fd0d99ddc8811747aa6b |
| SHA1 | 990bf235b09e469222452d013f36b398623fc808 |
| SHA256 | 71cc857219a854f17e5ed9d136c622c91c9d3d215db03500aa10ce3c2bbe091a |
| SHA512 | fc28a18115bf26e566723483ad30971a2d2f626115d1851178bd2cf099ebdd4b439b0084ff1e128f6685fb58d090340928883ec45254eb44bae81682cd32d15d |
memory/1964-127-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4348-128-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4348-129-0x0000000004870000-0x0000000004880000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e705eeecfa47334eae07762ca0bd745c |
| SHA1 | 7592483b5ec123718f489aba7f1eec38f26a09be |
| SHA256 | 6a2cbf6a197f0c647155445748d65ba459bda5643193c3645cc597281502e919 |
| SHA512 | 2a0253e95f0c06ae714295c8576e8475a262399610fd535d325484e64dae52612b6cd631a43e5114577a1bdd81306b94644991c4bc95281dfbf7c4602cfa1bc1 |
memory/4348-141-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/5112-143-0x00000000047E0000-0x00000000047F0000-memory.dmp
memory/5112-142-0x0000000074D10000-0x00000000754C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 052afd729e3ade04a74b40c992b9faa2 |
| SHA1 | d102b02b580eb55dbba12d46be17fe8751f474f4 |
| SHA256 | 04470335d2e4421304c2855af53594bfc3ed29b1433e13b5def47eba8b7f80b5 |
| SHA512 | 346b7e013fff7ca90e5a679567d58dd77d1c9b2605ffc3ec06a8c76773cfc3337bc65e1401922ac08c9281c67eb7af4dcdaa6d41bdf9feb08fd92d78e64e74c1 |
memory/5112-155-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/5336-156-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/5336-158-0x00000000021D0000-0x00000000021E0000-memory.dmp
memory/5336-157-0x00000000021D0000-0x00000000021E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 40711b5578ceeb33e67aa16d735beafe |
| SHA1 | 3fc84b1e4f7dd9f374b295eed43d36b0d69bf934 |
| SHA256 | 5b1f0359970f13ee055be281cb1cc2ca91249ce871477fa9ccfffde9446c437b |
| SHA512 | c18bc0997593d29d29593687ef5e5cfcb5e79500c8e4c17423a9b97e6166794bdc3f6b9b14e4dc04ac1286a7eb2e0843980c6409f64e4dd7461a6dbf7c7e9cf7 |
memory/5336-170-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4032-172-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/4032-173-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/4032-171-0x0000000074D10000-0x00000000754C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e6cab0fc4084e2777aa79d2ef3ba4e2e |
| SHA1 | 9c44779c71290ce73f97b7d59deb884bc017f4b1 |
| SHA256 | 040743ac9d0bb5f608a65d686843ebae99744cbce1d4952efa2caa1ce543fd1d |
| SHA512 | 47a90e2d864297c871a2a14679ae355dbdd840b9174d1a490c7b53bdfd7dc76cf8d1d344628dff74ecf52768ff50084cad85917e2c1a3265a5515d231ec182f1 |
memory/4032-185-0x0000000074D10000-0x00000000754C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3d31fb6fd19983effb8c20582ab2b113 |
| SHA1 | 7ec20793c205f84e8fdf642f46a435b04496f8c9 |
| SHA256 | 712791ad83a07ffe320229e85215eada5bd946ceadcc3b2f412b042a9df04d4d |
| SHA512 | af531d543676ada558bfc71cade1319e3ae38efdfc2f51eb2a50ec3f2b28f8c43ff9f01358defd039ecce2be5be71221361e860c84c64e3f1a7bc51cccd0f4bd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5cc3ab93f8226b33ff024aaeeea340e8 |
| SHA1 | f88f007e9f2636abf699ad94cb4dd3a40e644248 |
| SHA256 | 25b550daf26a81e417b1bf09b4980b917169778afb8c262d45b8a8480de167ef |
| SHA512 | 2420548f3feeb95a0e41dcb07d8c97ab56531ba5c864fc29a82adf9c020414e1aa3ce054c39134112d100ff10e329fc446d565b540bfada55652063aac3f10d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 01df767c4b8baa3303c8a7a6d1be52e6 |
| SHA1 | 173ecec865fcbc23d8a66a7162464b545f1b880d |
| SHA256 | 667d6f490736d03b1b8895ddc92feecc6022e3385da97f4782c18034ddee7c3f |
| SHA512 | 1385cf772f8fa07980a5475a998470638b9a9d48ee91ce5d99d0186a154c806cfa123fc9a9b34fc34b5a0ad68a40e049d188516bf1445bb98c58721c04341ecf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446f94627280ef58ecb75e196efebfe2 |
| SHA1 | 6ad40707c91cc4d27207f50ccba84219aae1b655 |
| SHA256 | 02f1e147baa61c9beb15fd2df4cb8158c44099bd130ae981b4ca46e0e649114e |
| SHA512 | cf5e8438995a7ad1e4688027eac38faafb9d49746b64be703f87d084d2e7140364ea0cda575ee38fecc02b75b8e7ab1269d472700428f7e36c2e440d95be9104 |
memory/2756-245-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-246-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-248-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-250-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-252-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-254-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-256-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-258-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-262-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-260-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-264-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-266-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-272-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-270-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-276-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-280-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-282-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-278-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-274-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-284-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-268-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-292-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-300-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-298-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-296-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-294-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-290-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-288-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-286-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-302-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-306-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-308-0x0000000001080000-0x00000000010F6000-memory.dmp
memory/2756-304-0x0000000001080000-0x00000000010F6000-memory.dmp