{
	"id": "295fa052-2f85-4a8c-9721-3a1552ed1b2e",
	"created_at": "2026-04-06T00:11:15.024145Z",
	"updated_at": "2026-04-10T03:20:28.861256Z",
	"deleted_at": null,
	"sha1_hash": "ee1c3c6487ed836010f81598e170f3cebee6ff31",
	"title": "AceHash",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75248,
	"plain_text": "AceHash\r\nArchived: 2026-04-05 18:01:46 UTC\r\n1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.\r\nLogonGuid/LogonId: ID of the logon session\r\nParentProcessGuid/ParentProcessId: Process ID of the parent process\r\nParentImage: Executable file of the parent process\r\nCurrentDirectory: Work directory (directory of the tool)\r\nCommandLine: Command line of the execution command ([Executable File Name of Tool] -l)\r\nIntegrityLevel: Privilege level\r\nParentCommandLine: Command line of the parent process\r\nUtcTime: Process execution date and time (UTC)\r\nProcessGuid/ProcessId: Process ID\r\nUser: Execute as user\r\nHashes: Hash value of the executable file\r\nImage: Path to the executable file (path to the tool)\r\nSecurity 4688 Process Create A new process has been created.\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nLog Date and Time: Process execution date and time (local time)\r\nProcess Information \u003e New Process Name: Path to the executable file (path to the tool)\r\nProcess Information \u003e Token Escalation Type: Presence of privilege escalation (2)\r\nProcess Information \u003e New Process ID: Process ID (hexadecimal)\r\nProcess Information \u003e Source Process ID: Process ID of the parent process that created the new process.\r\n\"Creator Process ID\" in Windows 7\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\n2 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.\r\nSourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID\r\nTargetProcessGUID/TargetProcessId: Process ID of the access destination process\r\nGrantedAccess: Details of the granted access (0x1FFFFF)\r\nSourceImage: Path to the access source process (path to the tool)\r\nTargetImage: Path to the access destination process (C:\\Windows\\system32\\lsass.exe)\r\nMicrosoft-Windows-Sysmon/Operational 8 CreateRemoteThread detected (rule: CreateRemoteThread)\r\nCreateRemoteThread detected.\r\nNewThreadId: Thread ID of the new thread\r\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/AceHash.htm\r\nPage 1 of 7\n\nTargetProcessGuid/TargetProcessId: Process ID of the destination process\r\nTargetImage: Path to the destination process (C:\\Windows\\system32\\lsass.exe)\r\nUtcTime: Execution date and time (UTC)\r\nSourceImage: Path to the source process (path to the tool)\r\nSourceProcessGuid/SourceProcessId: Process ID of the source process\r\n3 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.\r\nUtcTime: Process terminated date and time (UTC)\r\nProcessGuid/ProcessId: Process ID\r\nImage: Path to the executable file (path to the tool)\r\nSecurity 4689 Process Termination A process has exited.\r\nProcess Information \u003e Process ID: Process ID (hexadecimal)\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nProcess Information \u003e Exit Status: Process return value (0x1)\r\nLog Date and Time: Process terminated date and time (local time)\r\nProcess Information \u003e Process Name: Path to the executable file (path to the tool)\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\n4 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.\r\nImage: Path to the executable file (C:\\Windows\\System32\\svchost.exe)\r\nProcessGuid/ProcessId: Process ID\r\nTargetFilename: Created file (C:\\Windows\\Prefetch\\[Executable File Name of Tool]-[RANDOM].pf)\r\nCreationUtcTime: File creation date and time (UTC)\r\nSecurity 4656 File System/Other Object Access Events A handle to an object was requested.\r\nProcess Information \u003e Process ID: Process ID (hexadecimal)\r\nAccess Request Information \u003e Access/Reason for Access/Access Mask: Requested privileges (WriteData\r\nor AddFile, AppendData)\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nObject \u003e Object Name: Target file name (C:\\Windows\\Prefetch\\[Executable File Name of Tool]-\r\n[RANDOM].pf)\r\nProcess Information \u003e Process Name: Name of the process that closed the handle\r\n(C:\\Windows\\System32\\svchost.exe)\r\nObject \u003e Object Type: Type of the file (File)\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\nObject \u003e Handle ID: ID of the relevant handle\r\nSecurity 4663 File System An attempt was made to access an object.\r\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/AceHash.htm\r\nPage 2 of 7\n\nProcess Information \u003e Process ID: Process ID (hexadecimal)\r\nAccess Request Information \u003e Access/Reason for Access/Access Mask: Requested privileges (WriteData\r\nor AddFile, AppendData)\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nObject \u003e Object Name: Target file name (C:\\Windows\\Prefetch\\[Executable File Name of Tool]-\r\n[RANDOM].pf)\r\nAudit Success: Success or failure (access successful)\r\nProcess Information \u003e Process Name: Name of the process that closed the handle\r\n(C:\\Windows\\System32\\svchost.exe)\r\nObject \u003e Object Type: Category of the target (File)\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\nObject \u003e Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)\r\nSecurity 4658 File System The handle to an object was closed.\r\nProcess Information \u003e Process ID: Process ID (hexadecimal)\r\nProcess Information \u003e Process Name: Name of the process that requested the object\r\n(C:\\Windows\\System32\\svchost.exe)\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\nObject \u003e Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)\r\n5 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.\r\nLogonGuid/LogonId: ID of the logon session\r\nParentProcessGuid/ParentProcessId: Process ID of the parent process\r\nParentImage: Executable file of the parent process\r\nCurrentDirectory: Work directory\r\nCommandLine: Command line of the execution command ([Executable File Name] -s [User Name]:\r\n[Domain Name]:[Hash] \"[Execution Command]\")\r\nIntegrityLevel: Privilege level (High)\r\nParentCommandLine: Command line of the parent process\r\nUtcTime: Process execution date and time (UTC)\r\nProcessGuid/ProcessId: Process ID\r\nUser: Execute as user\r\nHashes: Hash value of the executable file\r\nImage: Path to the executable file (path to the executable file)\r\nSecurity 4688 Process Create A new process has been created.\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/AceHash.htm\r\nPage 3 of 7\n\nLog Date and Time: Process execution date and time (local time)\r\nProcess Information \u003e New Process Name: Path to the executable file (path to the tool)\r\nProcess Information \u003e Token Escalation Type: Presence of privilege escalation (2)\r\nProcess Information \u003e New Process ID: Process ID (hexadecimal)\r\nProcess Information \u003e Source Process ID: Process ID of the parent process that created the new process.\r\n\"Creator Process ID\" in Windows 7\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\n6 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.\r\nLogonGuid/LogonId: ID of the logon session\r\nParentProcessGuid/ParentProcessId: Process ID of the parent process\r\nParentImage: Executable file of the parent process (path to the tool)\r\nCurrentDirectory: Work directory (C:\\Windows\\system32\\)\r\nCommandLine: Command line of the execution command (cmd.exe)\r\nIntegrityLevel: Privilege level (High)\r\nParentCommandLine: Command line of the parent process ([Executable File Name of Tool] -s [User\r\nName]:[Password]:[Hash] \"[Execution Command]\")\r\nUtcTime: Process execution date and time (UTC)\r\nProcessGuid/ProcessId: Process ID\r\nUser: Execute as user\r\nHashes: Hash value of the executable file\r\nImage: Path to the executable file (C:\\Windows\\System32\\cmd.exe)\r\nSecurity 4688 Process Create A new process has been created.\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nLog Date and Time: Process execution date and time (local time)\r\nProcess Information \u003e New Process Name: Path to the executable file (C:\\Windows\\System32\\cmd.exe)\r\nProcess Information \u003e Token Escalation Type: Presence of privilege escalation (1)\r\nProcess Information \u003e New Process ID: Process ID (hexadecimal)\r\nProcess Information \u003e Source Process ID: Process ID of the parent process that created the new process.\r\n\"Creator Process ID\" in Windows 7\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\n7 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.\r\nSourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID\r\nTargetProcessGUID/TargetProcessId: Process ID of the access destination process\r\nGrantedAccess: Details of the granted access (0x1FFFFF)\r\nSourceImage: Path to the access source process (path to the executable file)\r\nTargetImage: Path to the access destination process (C:\\Windows\\system32\\lsass.exe)\r\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/AceHash.htm\r\nPage 4 of 7\n\nMicrosoft-Windows-Sysmon/Operational 8 CreateRemoteThread detected (rule: CreateRemoteThread)\r\nCreateRemoteThread detected.\r\nNewThreadId: Thread ID of the new thread\r\nTargetProcessGuid/TargetProcessId: Process ID of the destination process\r\nTargetImage: Path to the destination process (C:\\Windows\\system32\\lsass.exe)\r\nUtcTime: Execution date and time (UTC)\r\nSourceImage: Path to the source process (path to the executable file)\r\nSourceProcessGuid/SourceProcessId: Process ID of the source process\r\n8 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network\r\nconnection detected.\r\nProtocol: Protocol (tcp)\r\nDestinationIp: Destination IP address (Domain Controller IP address)\r\nImage: Path to the executable file (System)\r\nDestinationHostname: Destination host name (Domain Controller host name)\r\nProcessGuid/ProcessId: Process ID (4)\r\nUser: Execute as user (NT AUTHORITY\\SYSTEM)\r\nDestinationPort: Destination port number (445)\r\nSourcePort: Source port number (high port)\r\nSourceHostname: Source host name (source host)\r\nSourceIp: Source IP address (source host IP address)\r\nSecurity 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.\r\nNetwork Information \u003e Destination Port: Destination port number (445)\r\nNetwork Information \u003e Source Port: Source port number (high port)\r\nNetwork Information \u003e Destination Address: Destination IP address (Domain Controller)\r\nNetwork Information \u003e Protocol: Protocol used (6=TCP)\r\nApplication Information \u003e Application Name: Execution process (System)\r\nNetwork Information \u003e Direction: Communication direction (outbound)\r\nNetwork Information \u003e Source Address: Source IP address (source host)\r\nApplication Information \u003e Process ID: Process ID (4)\r\n9 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.\r\nUtcTime: Process terminated date and time (UTC)\r\nProcessGuid/ProcessId: Process ID\r\nImage: Path to the executable file (C:\\Windows\\System32\\cmd.exe)\r\nSecurity 4689 Process Termination A process has exited.\r\nProcess Information \u003e Process ID: Process ID (hexadecimal)\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/AceHash.htm\r\nPage 5 of 7\n\nProcess Information \u003e Exit Status: Process return value (0x0)\r\nLog Date and Time: Process terminated date and time (local time)\r\nProcess Information \u003e Process Name: Path to the executable file (C:\\Windows\\System32\\cmd.exe)\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\n10 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.\r\nUtcTime: Process terminated date and time (UTC)\r\nProcessGuid/ProcessId: Process ID\r\nImage: Path to the executable file (execution path to the tool)\r\nSecurity 4689 Process Termination A process has exited.\r\nProcess Information \u003e Process ID: Process ID (hexadecimal)\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nProcess Information \u003e Exit Status: Process return value (0xFFFFFFFF)\r\nLog Date and Time: Process terminated date and time (local time)\r\nProcess Information \u003e Process Name: Path to the executable file (execution path to the tool)\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\n11 Security 4656 File System/Other Object Access Events A handle to an object was requested.\r\nProcess Information \u003e Process ID: Process ID (hexadecimal)\r\nAccess Request Information \u003e Access/Reason for Access/Access Mask: Requested privileges (WriteData\r\nor AddFile, AppendData)\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nObject \u003e Object Name: Target file name (C:\\Windows\\Prefetch\\[Executable File Name of Tool]-\r\n[RANDOM].pf)\r\nProcess Information \u003e Process Name: Name of the process that closed the handle\r\n(C:\\Windows\\System32\\svchost.exe)\r\nObject \u003e Object Type: Type of the file (File)\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\nObject \u003e Handle ID: ID of the relevant handle\r\nSecurity 4663 File System An attempt was made to access an object.\r\nProcess Information \u003e Process ID: Process ID (hexadecimal)\r\nAccess Request Information \u003e Access/Reason for Access/Access Mask: Requested privileges (WriteData\r\nor AddFile, AppendData)\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nObject \u003e Object Name: Target file name (C:\\Windows\\Prefetch\\[Executable File Name of Tool]-\r\n[RANDOM].pf)\r\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/AceHash.htm\r\nPage 6 of 7\n\nAudit Success: Success or failure (access successful)\r\nProcess Information \u003e Process Name: Name of the process that closed the handle\r\n(C:\\Windows\\System32\\svchost.exe)\r\nObject \u003e Object Type: Category of the target (File)\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\nObject \u003e Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)\r\nSecurity 4658 File System The handle to an object was closed.\r\nProcess Information \u003e Process ID: Process ID (hexadecimal)\r\nProcess Information \u003e Process Name: Name of the process that requested the object\r\n(C:\\Windows\\System32\\svchost.exe)\r\nSubject \u003e Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who\r\nexecuted the tool\r\nSubject \u003e Logon ID: Session ID of the user who executed the process\r\nObject \u003e Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)\r\nSource: https://jpcertcc.github.io/ToolAnalysisResultSheet/details/AceHash.htm\r\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/AceHash.htm\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://jpcertcc.github.io/ToolAnalysisResultSheet/details/AceHash.htm"
	],
	"report_names": [
		"AceHash.htm"
	],
	"threat_actors": [],
	"ts_created_at": 1775434275,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee1c3c6487ed836010f81598e170f3cebee6ff31.pdf",
		"text": "https://archive.orkl.eu/ee1c3c6487ed836010f81598e170f3cebee6ff31.txt",
		"img": "https://archive.orkl.eu/ee1c3c6487ed836010f81598e170f3cebee6ff31.jpg"
	}
}