Analysis
-
max time kernel
92s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 07:17
Static task
static1
Behavioral task
behavioral1
Sample
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe
-
Size
2.5MB
-
MD5
e6ec699b6839f02fec298d786d95244e
-
SHA1
f1c26f1a8729f075f2f49c849be1d8b817bf1b6c
-
SHA256
d86c9114ecca7a31539278705d7e50f9674a562e1382a6053e735d9d2b30942a
-
SHA512
e579bbaa11529b8bdcb33771ef39e1b1461aa927bf7ce7f24c633aff2b14fe5367e0bdb259354942a7d95f82f34960f110a1bfad1db55b819de486f1a6d4971c
-
SSDEEP
1536:Hn/Ay6PcOtb0LO6kWkVc/HfvfNdmNzyrhe:Hn/A7
Malware Config
Extracted
C:\Program Files\7-Zip\readme-warning.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe = "0" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Nirsoft 1 IoCs
resource yara_rule behavioral2/files/0x000700000002320f-14.dat Nirsoft -
Renames multiple (6457) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1052 wbadmin.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation AdvancedRun.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 1952 AdvancedRun.exe 2180 AdvancedRun.exe 4944 AdvancedRun.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe = "0" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs
pid Process 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3844 set thread context of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 100 PID 3952 set thread context of 2824 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 146 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxSignature.p7x e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\FacebookProfilePictureControl.xbf e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.e35cc441.pri e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\ShowResolve.vbe e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WatchDeny.docm e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\resources.pri e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-black.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrv.rll e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-default_32.svg e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\plugin.js e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\javaws.jar e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_altform-unplated_contrast-black.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-150.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-100.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-125.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ContainExactly.Tests.ps1 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxk e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-400.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\PlayStore_icon.svg e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info2x.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ContainExactly.ps1 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELM e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-400.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-unplated_contrast-white.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent_Light.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MedTile.scale-125.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-100.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_contrast-white.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-200_contrast-black.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\3DViewerProductDescription-universal.xml e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.[22D0FE02].[[email protected]].makop e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40_altform-unplated.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-64_contrast-white.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Rotate.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations.png e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\readme-warning.txt e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Launches sc.exe 17 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1424 sc.exe 644 sc.exe 4928 sc.exe 4440 sc.exe 2716 sc.exe 2148 sc.exe 2740 sc.exe 3156 sc.exe 4148 sc.exe 4524 sc.exe 3688 sc.exe 1364 sc.exe 960 sc.exe 3468 sc.exe 1672 sc.exe 4696 sc.exe 4428 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2408 3844 WerFault.exe 83 4400 3952 WerFault.exe 103 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1972 timeout.exe 1012 timeout.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 432 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1952 AdvancedRun.exe 1952 AdvancedRun.exe 1952 AdvancedRun.exe 1952 AdvancedRun.exe 2180 AdvancedRun.exe 2180 AdvancedRun.exe 2180 AdvancedRun.exe 2180 AdvancedRun.exe 4452 powershell.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 4452 powershell.exe 4944 AdvancedRun.exe 4944 AdvancedRun.exe 4944 AdvancedRun.exe 4944 AdvancedRun.exe 1792 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 1792 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3592 powershell.exe 3592 powershell.exe 3592 powershell.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
description pid Process Token: SeDebugPrivilege 1952 AdvancedRun.exe Token: SeImpersonatePrivilege 1952 AdvancedRun.exe Token: SeDebugPrivilege 2180 AdvancedRun.exe Token: SeImpersonatePrivilege 2180 AdvancedRun.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe Token: SeDebugPrivilege 4944 AdvancedRun.exe Token: SeImpersonatePrivilege 4944 AdvancedRun.exe Token: SeBackupPrivilege 3296 vssvc.exe Token: SeRestorePrivilege 3296 vssvc.exe Token: SeAuditPrivilege 3296 vssvc.exe Token: SeBackupPrivilege 2152 wbengine.exe Token: SeRestorePrivilege 2152 wbengine.exe Token: SeSecurityPrivilege 2152 wbengine.exe Token: SeIncreaseQuotaPrivilege 4124 WMIC.exe Token: SeSecurityPrivilege 4124 WMIC.exe Token: SeTakeOwnershipPrivilege 4124 WMIC.exe Token: SeLoadDriverPrivilege 4124 WMIC.exe Token: SeSystemProfilePrivilege 4124 WMIC.exe Token: SeSystemtimePrivilege 4124 WMIC.exe Token: SeProfSingleProcessPrivilege 4124 WMIC.exe Token: SeIncBasePriorityPrivilege 4124 WMIC.exe Token: SeCreatePagefilePrivilege 4124 WMIC.exe Token: SeBackupPrivilege 4124 WMIC.exe Token: SeRestorePrivilege 4124 WMIC.exe Token: SeShutdownPrivilege 4124 WMIC.exe Token: SeDebugPrivilege 4124 WMIC.exe Token: SeSystemEnvironmentPrivilege 4124 WMIC.exe Token: SeRemoteShutdownPrivilege 4124 WMIC.exe Token: SeUndockPrivilege 4124 WMIC.exe Token: SeManageVolumePrivilege 4124 WMIC.exe Token: 33 4124 WMIC.exe Token: 34 4124 WMIC.exe Token: 35 4124 WMIC.exe Token: 36 4124 WMIC.exe Token: SeIncreaseQuotaPrivilege 4124 WMIC.exe Token: SeSecurityPrivilege 4124 WMIC.exe Token: SeTakeOwnershipPrivilege 4124 WMIC.exe Token: SeLoadDriverPrivilege 4124 WMIC.exe Token: SeSystemProfilePrivilege 4124 WMIC.exe Token: SeSystemtimePrivilege 4124 WMIC.exe Token: SeProfSingleProcessPrivilege 4124 WMIC.exe Token: SeIncBasePriorityPrivilege 4124 WMIC.exe Token: SeCreatePagefilePrivilege 4124 WMIC.exe Token: SeBackupPrivilege 4124 WMIC.exe Token: SeRestorePrivilege 4124 WMIC.exe Token: SeShutdownPrivilege 4124 WMIC.exe Token: SeDebugPrivilege 4124 WMIC.exe Token: SeSystemEnvironmentPrivilege 4124 WMIC.exe Token: SeRemoteShutdownPrivilege 4124 WMIC.exe Token: SeUndockPrivilege 4124 WMIC.exe Token: SeManageVolumePrivilege 4124 WMIC.exe Token: 33 4124 WMIC.exe Token: 34 4124 WMIC.exe Token: 35 4124 WMIC.exe Token: 36 4124 WMIC.exe Token: SeDebugPrivilege 3592 powershell.exe Token: SeDebugPrivilege 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3844 wrote to memory of 1952 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 87 PID 3844 wrote to memory of 1952 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 87 PID 3844 wrote to memory of 1952 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 87 PID 1952 wrote to memory of 2180 1952 AdvancedRun.exe 88 PID 1952 wrote to memory of 2180 1952 AdvancedRun.exe 88 PID 1952 wrote to memory of 2180 1952 AdvancedRun.exe 88 PID 3844 wrote to memory of 4452 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 94 PID 3844 wrote to memory of 4452 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 94 PID 3844 wrote to memory of 4452 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 94 PID 3844 wrote to memory of 336 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 96 PID 3844 wrote to memory of 336 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 96 PID 3844 wrote to memory of 336 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 96 PID 336 wrote to memory of 1972 336 cmd.exe 98 PID 336 wrote to memory of 1972 336 cmd.exe 98 PID 336 wrote to memory of 1972 336 cmd.exe 98 PID 3844 wrote to memory of 4160 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 99 PID 3844 wrote to memory of 4160 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 99 PID 3844 wrote to memory of 4160 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 99 PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 100 PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 100 PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 100 PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 100 PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 100 PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 100 PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 100 PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 100 PID 3844 wrote to memory of 1792 3844 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 100 PID 1792 wrote to memory of 468 1792 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 105 PID 1792 wrote to memory of 468 1792 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 105 PID 468 wrote to memory of 432 468 cmd.exe 109 PID 468 wrote to memory of 432 468 cmd.exe 109 PID 3952 wrote to memory of 4944 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 110 PID 3952 wrote to memory of 4944 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 110 PID 3952 wrote to memory of 4944 3952 e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe 110 PID 3852 wrote to memory of 4524 3852 cmd.exe 115 PID 3852 wrote to memory of 4524 3852 cmd.exe 115 PID 3852 wrote to memory of 4440 3852 cmd.exe 116 PID 3852 wrote to memory of 4440 3852 cmd.exe 116 PID 3852 wrote to memory of 3688 3852 cmd.exe 117 PID 3852 wrote to memory of 3688 3852 cmd.exe 117 PID 468 wrote to memory of 1052 468 cmd.exe 118 PID 468 wrote to memory of 1052 468 cmd.exe 118 PID 3852 wrote to memory of 2716 3852 cmd.exe 120 PID 3852 wrote to memory of 2716 3852 cmd.exe 120 PID 3852 wrote to memory of 4696 3852 cmd.exe 142 PID 3852 wrote to memory of 4696 3852 cmd.exe 142 PID 3852 wrote to memory of 3156 3852 cmd.exe 122 PID 3852 wrote to memory of 3156 3852 cmd.exe 122 PID 3852 wrote to memory of 1424 3852 cmd.exe 124 PID 3852 wrote to memory of 1424 3852 cmd.exe 124 PID 3852 wrote to memory of 2148 3852 cmd.exe 125 PID 3852 wrote to memory of 2148 3852 cmd.exe 125 PID 3852 wrote to memory of 4148 3852 cmd.exe 127 PID 3852 wrote to memory of 4148 3852 cmd.exe 127 PID 3852 wrote to memory of 4428 3852 cmd.exe 128 PID 3852 wrote to memory of 4428 3852 cmd.exe 128 PID 468 wrote to memory of 4124 468 cmd.exe 129 PID 468 wrote to memory of 4124 468 cmd.exe 129 PID 3852 wrote to memory of 1364 3852 cmd.exe 130 PID 3852 wrote to memory of 1364 3852 cmd.exe 130 PID 3852 wrote to memory of 2740 3852 cmd.exe 131 PID 3852 wrote to memory of 2740 3852 cmd.exe 131 PID 3852 wrote to memory of 644 3852 cmd.exe 132 PID 3852 wrote to memory of 644 3852 cmd.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\2bb7a623-b619-4a44-9f03-14b53dbadc2e\AdvancedRun.exe" /SpecialRun 4101d8 19523⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1972
-
-
-
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"2⤵PID:4160
-
-
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe" n17923⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\dacfe76c-ec86-42ca-adc7-8e4854061561\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\dacfe76c-ec86-42ca-adc7-8e4854061561\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\dacfe76c-ec86-42ca-adc7-8e4854061561\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dacfe76c-ec86-42ca-adc7-8e4854061561\test.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\system32\sc.exesc stop windefend6⤵
- Launches sc.exe
PID:4524
-
-
C:\Windows\system32\sc.exesc config windefend start= disabled6⤵
- Launches sc.exe
PID:4440
-
-
C:\Windows\system32\sc.exesc stop Sense6⤵
- Launches sc.exe
PID:3688
-
-
C:\Windows\system32\sc.exesc config Sense start= disabled6⤵
- Launches sc.exe
PID:2716
-
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
PID:4696
-
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled6⤵
- Launches sc.exe
PID:3156
-
-
C:\Windows\system32\sc.exesc stop usosvc6⤵
- Launches sc.exe
PID:1424
-
-
C:\Windows\system32\sc.exesc config usosvc start= disabled6⤵
- Launches sc.exe
PID:2148
-
-
C:\Windows\system32\sc.exesc stop WaasMedicSvc6⤵
- Launches sc.exe
PID:4148
-
-
C:\Windows\system32\sc.exesc config WaasMedicSvc start= disabled6⤵
- Launches sc.exe
PID:4428
-
-
C:\Windows\system32\sc.exesc stop SecurityHealthService6⤵
- Launches sc.exe
PID:1364
-
-
C:\Windows\system32\sc.exesc config SecurityHealthService start= disabled6⤵
- Launches sc.exe
PID:2740
-
-
C:\Windows\system32\sc.exesc stop SDRSVC6⤵
- Launches sc.exe
PID:644
-
-
C:\Windows\system32\sc.exesc config SDRSVC start= disabled6⤵
- Launches sc.exe
PID:960
-
-
C:\Windows\system32\sc.exesc stop wscsvc6⤵
- Launches sc.exe
PID:4928
-
-
C:\Windows\system32\sc.exesc config wscsvc start= disabled6⤵
- Launches sc.exe
PID:3468
-
-
C:\Windows\system32\sc.exesc stop WdiServiceHost6⤵
- Launches sc.exe
PID:1672
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵PID:4696
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:1012
-
-
-
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"4⤵PID:1188
-
-
C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6ec699b6839f02fec298d786d95244e_JaffaCakes118.exe"4⤵PID:2824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 17124⤵
- Program crash
PID:4400
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:432
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1052
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 8722⤵
- Program crash
PID:2408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3844 -ip 38441⤵PID:4380
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4376
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3952 -ip 39521⤵PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e217e139ef30c6b01a891a46abdfdfdb
SHA1b7fcffce07cbdc0408c8156f22ac6ab0a8c742c9
SHA256cb631d734d62dce1742744b81cccd7418c27fa6da089d366378b43c00186598e
SHA512a22208a2537138f0b70087b1f0f10972e2ed2feb3ea8ea2f7bc0f7668a4fc1b807aaa7173d04ff04d415c043e1278357d39c7f539b4037ebbc6926e21863d117
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD52cdcf827ee114ba6e823284bf11d6fe7
SHA1468a8e6f89c240e153d0708d361eeb4e8cc8e0a5
SHA25685dd2678d156840be913bf31a54bd0e32616e9b3f6a5b5e6f709e64a4412791c
SHA512552eb84b6d16b40789f4dbf57ccb63c1c311dc6b0b492036e280989ff5e490dd9f44b9d97ca351c45a87f611c3aac62f306b041046417e43a21227055bf052fd
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
8KB
MD5b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
C:\Users\Admin\AppData\Local\Temp\dacfe76c-ec86-42ca-adc7-8e4854061561\test.bat.[22D0FE02].[[email protected]].makop
Filesize8KB
MD599a1cdf0c29a303fef01e16f327f241b
SHA1997bc1f5178c58f0c2fcaf2c53f4dfe21ca25898
SHA256d7ee28d30cc96b2a98494995b6e910e651a9a1756596c571de85c52157a9d505
SHA51236990dfb21826a2de836fff1507d6c13cb1975f2e4a98156bb8f041b5f0c124664f17c5d4ba0d62e57fbc90069b6216a0376273bb427cb3a4a375301c9e530cc