82090226e00e3cb4959978926f478a03ad813804ef511e0c0f6ef05f426b4666

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe
Size

997KB
MD5

0f81f465488d18dffa9165e06b2ae77f
SHA1

0c56da587224dc63b20ec2c00440b1f38f9df9da
SHA256

82090226e00e3cb4959978926f478a03ad813804ef511e0c0f6ef05f426b4666
SHA512

9ac91d0092faf8b6251f1a844c7b31719e4fa4592ba0305a12df2d9a79c7a52ec5f7ebc43639835a2023527fa141fd67924f7c72cf9e2142db30ec4b72b21c67
SSDEEP

12288:YVSszxoCDPp9iVRsFhS3TCU08CY4EFKj6agsGMDluoEtxX5jGIT9JVQBzQ:ExomPmbgIj28CY40sPgoEtxRP9QBzQ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3992	powershell.exe
3992	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
1576	powershell.exe
1576	powershell.exe
1576	powershell.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
3680	powershell.exe
3680	powershell.exe
3680	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
4124	powershell.exe
4124	powershell.exe
4124	powershell.exe
4948	powershell.exe
4948	powershell.exe
4948	powershell.exe
60	powershell.exe
60	powershell.exe
60	powershell.exe
1832	powershell.exe
1832	powershell.exe
1832	powershell.exe
1512	powershell.exe
1512	powershell.exe
3176	powershell.exe
3176	powershell.exe
3860	powershell.exe
3860	powershell.exe
3520	powershell.exe
3520	powershell.exe
468	powershell.exe
468	powershell.exe
2192	powershell.exe
2192	powershell.exe
2384	powershell.exe
2384	powershell.exe
756	powershell.exe
756	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeIncreaseQuotaPrivilege	3992	powershell.exe
Token: SeSecurityPrivilege	3992	powershell.exe
Token: SeTakeOwnershipPrivilege	3992	powershell.exe
Token: SeLoadDriverPrivilege	3992	powershell.exe
Token: SeSystemProfilePrivilege	3992	powershell.exe
Token: SeSystemtimePrivilege	3992	powershell.exe
Token: SeProfSingleProcessPrivilege	3992	powershell.exe
Token: SeIncBasePriorityPrivilege	3992	powershell.exe
Token: SeCreatePagefilePrivilege	3992	powershell.exe
Token: SeBackupPrivilege	3992	powershell.exe
Token: SeRestorePrivilege	3992	powershell.exe
Token: SeShutdownPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeSystemEnvironmentPrivilege	3992	powershell.exe
Token: SeRemoteShutdownPrivilege	3992	powershell.exe
Token: SeUndockPrivilege	3992	powershell.exe
Token: SeManageVolumePrivilege	3992	powershell.exe
Token: 33	3992	powershell.exe
Token: 34	3992	powershell.exe
Token: 35	3992	powershell.exe
Token: 36	3992	powershell.exe
Token: SeIncreaseQuotaPrivilege	3992	powershell.exe
Token: SeSecurityPrivilege	3992	powershell.exe
Token: SeTakeOwnershipPrivilege	3992	powershell.exe
Token: SeLoadDriverPrivilege	3992	powershell.exe
Token: SeSystemProfilePrivilege	3992	powershell.exe
Token: SeSystemtimePrivilege	3992	powershell.exe
Token: SeProfSingleProcessPrivilege	3992	powershell.exe
Token: SeIncBasePriorityPrivilege	3992	powershell.exe
Token: SeCreatePagefilePrivilege	3992	powershell.exe
Token: SeBackupPrivilege	3992	powershell.exe
Token: SeRestorePrivilege	3992	powershell.exe
Token: SeShutdownPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeSystemEnvironmentPrivilege	3992	powershell.exe
Token: SeRemoteShutdownPrivilege	3992	powershell.exe
Token: SeUndockPrivilege	3992	powershell.exe
Token: SeManageVolumePrivilege	3992	powershell.exe
Token: 33	3992	powershell.exe
Token: 34	3992	powershell.exe
Token: 35	3992	powershell.exe
Token: 36	3992	powershell.exe
Token: SeIncreaseQuotaPrivilege	3992	powershell.exe
Token: SeSecurityPrivilege	3992	powershell.exe
Token: SeTakeOwnershipPrivilege	3992	powershell.exe
Token: SeLoadDriverPrivilege	3992	powershell.exe
Token: SeSystemProfilePrivilege	3992	powershell.exe
Token: SeSystemtimePrivilege	3992	powershell.exe
Token: SeProfSingleProcessPrivilege	3992	powershell.exe
Token: SeIncBasePriorityPrivilege	3992	powershell.exe
Token: SeCreatePagefilePrivilege	3992	powershell.exe
Token: SeBackupPrivilege	3992	powershell.exe
Token: SeRestorePrivilege	3992	powershell.exe
Token: SeShutdownPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeSystemEnvironmentPrivilege	3992	powershell.exe
Token: SeRemoteShutdownPrivilege	3992	powershell.exe
Token: SeUndockPrivilege	3992	powershell.exe
Token: SeManageVolumePrivilege	3992	powershell.exe
Token: 33	3992	powershell.exe
Token: 34	3992	powershell.exe
Token: 35	3992	powershell.exe
Token: 36	3992	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3992	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	89
PID 2664 wrote to memory of 3992	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	89
PID 2664 wrote to memory of 3992	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	89
PID 2664 wrote to memory of 1744	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	99
PID 2664 wrote to memory of 1744	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	99
PID 2664 wrote to memory of 1744	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	99
PID 2664 wrote to memory of 1576	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	103
PID 2664 wrote to memory of 1576	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	103
PID 2664 wrote to memory of 1576	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	103
PID 2664 wrote to memory of 2692	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	105
PID 2664 wrote to memory of 2692	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	105
PID 2664 wrote to memory of 2692	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	105
PID 2664 wrote to memory of 3680	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	109
PID 2664 wrote to memory of 3680	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	109
PID 2664 wrote to memory of 3680	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	109
PID 2664 wrote to memory of 2596	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	111
PID 2664 wrote to memory of 2596	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	111
PID 2664 wrote to memory of 2596	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	111
PID 2664 wrote to memory of 992	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	113
PID 2664 wrote to memory of 992	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	113
PID 2664 wrote to memory of 992	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	113
PID 2664 wrote to memory of 4124	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	115
PID 2664 wrote to memory of 4124	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	115
PID 2664 wrote to memory of 4124	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	115
PID 2664 wrote to memory of 4948	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	117
PID 2664 wrote to memory of 4948	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	117
PID 2664 wrote to memory of 4948	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	117
PID 2664 wrote to memory of 60	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	119
PID 2664 wrote to memory of 60	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	119
PID 2664 wrote to memory of 60	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	119
PID 2664 wrote to memory of 1832	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	121
PID 2664 wrote to memory of 1832	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	121
PID 2664 wrote to memory of 1832	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	121
PID 2664 wrote to memory of 1512	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	123
PID 2664 wrote to memory of 1512	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	123
PID 2664 wrote to memory of 1512	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	123
PID 2664 wrote to memory of 3176	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	125
PID 2664 wrote to memory of 3176	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	125
PID 2664 wrote to memory of 3176	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	125
PID 2664 wrote to memory of 3860	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	127
PID 2664 wrote to memory of 3860	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	127
PID 2664 wrote to memory of 3860	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	127
PID 2664 wrote to memory of 3520	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	129
PID 2664 wrote to memory of 3520	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	129
PID 2664 wrote to memory of 3520	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	129
PID 2664 wrote to memory of 468	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	131
PID 2664 wrote to memory of 468	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	131
PID 2664 wrote to memory of 468	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	131
PID 2664 wrote to memory of 2192	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	133
PID 2664 wrote to memory of 2192	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	133
PID 2664 wrote to memory of 2192	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	133
PID 2664 wrote to memory of 2384	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	135
PID 2664 wrote to memory of 2384	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	135
PID 2664 wrote to memory of 2384	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	135
PID 2664 wrote to memory of 756	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	137
PID 2664 wrote to memory of 756	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	137
PID 2664 wrote to memory of 756	2664	0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe	137

C:\Users\Admin\AppData\Local\Temp\0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f81f465488d18dffa9165e06b2ae77f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:60
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1832
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3860
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2384
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:8
1⤵
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c018e16dd35f28481778200f64d48f7d

SHA1
1c62dc5094a3c3c1a029a6c364e085f8b394a5f8

SHA256
1eca7f2483e92089e119033f7da113033c06f53bd1925eb2029fcbd00cf14425

SHA512
2b100699503cb3c9775faf2ccb3f2365fa412eef29e2d8e631e1fa606bd2c5a4652c3dfb929da0d9964fd1ccf123ee81c509a9a45b03028fb045c6ce3f6c19c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
faaa1c66e91d36d19414b27a69a2cf1d

SHA1
87255140d9e85af6f381cbd87dd9b75805dd2214

SHA256
c4809cf1a43611a0b34e5f8f5c3488607b28e4be8780c8cdcb3565755bd17335

SHA512
4ba967b215420be596f158196d68184dbf8d125b4708b51e6d942b77b4a23e26dcdb1493ebc3b6dface27ae89e2fbaf8cfe44ace718788d5850529e20a76460a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
e2dca3523698173d2d6acc34e804acdd

SHA1
97e9be94d9a9a8768895711872f6151c0e20c969

SHA256
36d441deadbd85e7814d8d5050095b758405dbb529832c7f6966b611ce51e05d

SHA512
819c07f64871be42cb0201be93426e40a68bda3305b6197df84ccb9c512fb32c58aaf52725e7e9b2f78c5c15c0842fced87c2796a355ddd66b506d7b553fd7c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
b21078f79e7ca99ae576b9acb348817c

SHA1
1c997d674960eefd78625385f33c66377276a2b5

SHA256
26e3cf7f4e150f920451e1c73ddc624f1a8c9652be963f3961583abbed959aba

SHA512
797e2f23de388691bec3aae43174f05f245d5e673533f08c1c02852c709d0378691d2592de5584ffa69bc62e62b7fe09e8bf3ae6a15cead5e48acd6724ea4e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
2e9f300888a0434ff70558ccb56d0f70

SHA1
fb079a9836d27744427e39df04a3215dc227b8c6

SHA256
f75a476c6f65dbb0108296d018403412bc17b1c1acc2e5be0966050b5e5f6904

SHA512
1e12b1b6ae7d7e10a27f1c81b8258df1a37f8611ab08fa78c22d1d6219e7d7bf680aab64b44c3bb9be97a184317d729f8b6f845e5f486e6d9c26228fb5ef0872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
78b926f0af757ea714289480fa7c25aa

SHA1
44efab8f03fbb709e31208997b5fae5e26c3a748

SHA256
d8d540f34727dde28df89c4bc4c8969db8929e627581dbedeb6ba0a4470023d9

SHA512
45ebb1dce937d37e676b08f535389a2458396a21517db9d3fcf04e12173374595a167c40b97a894e0cec4ca1d7e35fd5288fe6e4ed5166c2cc75ae2525158bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
8c6ac569bbbb752411867247891c50e5

SHA1
fbd03e1e48a933b626effa1f1fca011afd41abee

SHA256
438d8c5e2decc6b07b85d003d94f58c6ef78f72824fb1bc79fc6f752a2d0a9c3

SHA512
cbf46bebc3d6985731f3497633116eb5661d7c9a203dc039a8faa03ac0c2e06e6b6bdedf845ecc5cea761344d03f53bea2ee101c22c4107184e4ab8f31b6bd75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
171f5bf5992ae29ebb2e4f60b46333a5

SHA1
7e3f2bfcd04804907ef370352c9600326baac6d3

SHA256
aa16984c93c8cd1f13c1e10e49dc2e6f432df95d69c08553dcaf9d8bbbc9bf45

SHA512
048bdb12cbff047342ecad6c0cb64a1419b12cf98115112e1e0b90496b9d472000a309a171521172ed130d93468dd62d4fe11f6f8e58837a1e1b439e4c6359f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
6bdb452a19b1ec56dbdfd71b05b26083

SHA1
7aae7a8580329e13c151776faf3f95d06c52d103

SHA256
0f54b9fb095e611a0cf7f41464e880d18c125271ae8c5e45284a1718facdadb1

SHA512
9a43abc94c96b81ff0cd07235f40f6a6dcaf2685cf1cdb450c1d8e958746d54ee4c0ce2718f4a25f746df0f75d6e826ee3bb2f005fded93983d0f99d9af74092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
54cc062cd1ee1fc3dd89766a4c136e32

SHA1
a0d71ff491c8eaedd7648c31133ae5f665709328

SHA256
38237e2a0ce42d6c6473620fb8822197b5a7b6cca35b051375c2aff592b76294

SHA512
73e39da181d21410a40968889346592b007a02cb2b24291599984840911efac8276822ea25f07b1a70594d4b43071ce16c566e7080f79a9fe6a935c8eb9c1488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
76965b6447ed5f48ae13e68e5cf7fe4c

SHA1
295602a7c2c84d2ac4bf3e2a954810c3d2cdcccc

SHA256
d55479ee2f7625939fdfa55c008e25cebaa9db94df621aa5f4b416952e0c810b

SHA512
7ebaefcd024815d5ffbc829c64f6a99accb14ffb9df7f8d611e4e9d0577266668a94f1dcd6b06aa07a7826094d7ff615eeceacc32de0b7ba9b792657cac86a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
315c11ae4ebd572f948d932dca3de0f0

SHA1
6d3b12ca2cf544d2f53d1558e23f05579309fe2b

SHA256
7319cb4e6ff5342757b9700373fda0f0a424ab8a6d7a353798182ff58f363faf

SHA512
8d1f476134131acb7c3d0aff813d529c49c981bf8532b83c838d49ebadf8005f53a2f6246aa6f6087ebec1e21093a8888a5bffe8806c5353b616eb98ce3cc454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
8e9a75a85ca8b71f8998568ca6bba5aa

SHA1
1b0884c950de353e22b2053f461030eb1233f079

SHA256
f345808129db5686539b6585a3bc1c6085a9b91a7da026390001d62a38819e9d

SHA512
24e605eeaaa93c6b9762b7837f9f12dd46be9f2c7f58a4baffd44e74b5a79c29448dee7d154b6b275a0f8458e08854b2293a570e36becf3718c0e5ee5e0683b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
6a88529c869e9aaa797370f7afa587de

SHA1
dd571bc0db86eec3a0bb1750baf0dddf7145f87d

SHA256
5e827ca1c769cb00207bc00171958cd5afdad6cb665882138088f3569c1661bf

SHA512
4ae50aacfa324ca25cf00aed03e0e9116d35cac464d12188f74dba31c0b2bd4aff3472396f62eea9ad29b140d4fc835e0a85ac1ce06b443716ff5c99ac25b876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
e815cc983a429201a746048e0e930dd2

SHA1
cce2c51f0b018cbc9038df9cedf3751b39b2b0af

SHA256
d2ad9b3eb3dcf606a08ae0acfaacf7febf5cc837da112154d61f3e2276ba4053

SHA512
b67b38e0efa718a436d1a1303307cd0b85275e3abdc4b451f342cc3c8149cd6f8a82c1f601d710b4b9e65cb28a7542f73972f5ab470e4dbe685beb6dd91965a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
67530086832fc67721e1ff420a6d0382

SHA1
c79e1ae9ab296f9534b3101f54200ffb1533398d

SHA256
8856b7de09b8e61bdb149a74e48893f46f11f1a6e5d745855dad277e595ded27

SHA512
308c0e6bab40bb512dbaf10873fe9c3959ae183091dd1fe62876e96d982849924b742768490db6f51593eb128244b1364372ad920d4bfbc8d5a4348042888e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
f3b15d1d3400b782a47d541e96c49ef0

SHA1
0c6612a0f7af60142aee1c5b7969bb80fb7d8048

SHA256
54ea16c0f3c7de32af37a276a04af276bb58b169665a793d8a9337a7d04c79e2

SHA512
dacd09d3c9e5b5d3984a9616da9be054e33e449e2f24ef3c80dad87e6ad5942e934236664cab349d66764c43b3255f80c8b69faa2f92a242635950c95a4946c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
dd885811b93c2b1ae609014ea58f4418

SHA1
8180894506b4eb0f411c8ffc5fa4af49edd276c7

SHA256
23718f62419028b8163fb7ce14a4be9aa30691d68bb338ebc8c9ae03d2d90aee

SHA512
a9f565e56cc00a52b24c21bd2d75641a239e03e65e4eb2e28651f7a2e35300010fdde5ce781e25a298e6bd51bea6b95886efbda774b2b750e7ec6366f906e383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
92a7ac6d92749526c19712d02730ce7d

SHA1
e951b998fac5bb7a5d9de78d6fe830c4990d64bf

SHA256
ee018dbd462cf20cc0e30dc6320329fd50b7cfe7b8f1715b8807e891694f1a19

SHA512
1a278dbc7b61336b4a4584d1fa7c0f059d07dd753d1c6a7a1bf78c5f522c20a1d15de3defce3a12cca4eca840c89399b6a57c64089159b93683c63373c4bc722

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ebivfouu.qld.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/60-242-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/468-369-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/756-432-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/992-178-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/1512-284-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/1576-93-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/1744-59-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1744-82-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1744-58-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1744-60-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1744-71-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/1832-263-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/2192-390-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/2384-411-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/2596-157-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/2664-44-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/2664-1-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/2664-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/2692-113-0x0000000005A70000-0x0000000005DC4000-memory.dmp

Filesize
3.3MB

Download
memory/2692-115-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/3176-305-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/3520-348-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/3680-136-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/3860-325-0x0000000006390000-0x00000000066E4000-memory.dmp

Filesize
3.3MB

Download
memory/3860-327-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/3992-37-0x0000000007CD0000-0x000000000834A000-memory.dmp

Filesize
6.5MB

Download
memory/3992-52-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-41-0x0000000007890000-0x00000000078A1000-memory.dmp

Filesize
68KB

Download
memory/3992-39-0x00000000076F0000-0x00000000076FA000-memory.dmp

Filesize
40KB

Download
memory/3992-42-0x0000000007A20000-0x0000000007A30000-memory.dmp

Filesize
64KB

Download
memory/3992-38-0x0000000007690000-0x00000000076AA000-memory.dmp

Filesize
104KB

Download
memory/3992-43-0x0000000007B60000-0x0000000007B7A000-memory.dmp

Filesize
104KB

Download
memory/3992-56-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-53-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-36-0x0000000007580000-0x0000000007623000-memory.dmp

Filesize
652KB

Download
memory/3992-34-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/3992-45-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-35-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-2-0x0000000002A60000-0x0000000002A96000-memory.dmp

Filesize
216KB

Download
memory/3992-23-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/3992-46-0x0000000007BC0000-0x0000000007BEA000-memory.dmp

Filesize
168KB

Download
memory/3992-24-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-22-0x0000000007540000-0x0000000007572000-memory.dmp

Filesize
200KB

Download
memory/3992-21-0x00000000063A0000-0x00000000063EC000-memory.dmp

Filesize
304KB

Download
memory/3992-40-0x0000000007920000-0x00000000079B6000-memory.dmp

Filesize
600KB

Download
memory/3992-20-0x0000000006370000-0x000000000638E000-memory.dmp

Filesize
120KB

Download
memory/3992-15-0x0000000005DB0000-0x0000000006104000-memory.dmp

Filesize
3.3MB

Download
memory/3992-7-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/3992-51-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-50-0x0000000007BA0000-0x0000000007BAE000-memory.dmp

Filesize
56KB

Download
memory/3992-8-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/3992-49-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-9-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-48-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-6-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/3992-5-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-4-0x0000000005570000-0x0000000005B98000-memory.dmp

Filesize
6.2MB

Download
memory/3992-47-0x0000000007BF0000-0x0000000007C14000-memory.dmp

Filesize
144KB

Download
memory/3992-3-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4124-200-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/4124-198-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4948-221-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download