5d8a701110d58ab7c1aa8bae6bc9d5358b8cd508115891320e6af6c68f3bbd74

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
Size

796KB
MD5

70b0fe3702cbab6ab0c09a775fd6b539
SHA1

6b99372b8cc4ceb8ef678c74653e1471f69bc53f
SHA256

5d8a701110d58ab7c1aa8bae6bc9d5358b8cd508115891320e6af6c68f3bbd74
SHA512

8cbbfe51f93de5c8a075c7a031867a2f5e7b7681aff709b89008f276c9aa5fe74e3fc6865a0fc28550d3a2ec9892de3c5539dfd9b06ab938dcc2ed2e1cc3fd8c
SSDEEP

12288:B6bzpTWdzHkaPqtzDQmSKebtX+74EXuJpZFuk+2YeEbv0BP78B:B6h9hzDQnE8SxeEb0Bg

Score

9^/10

dave ransomware spyware stealer

Malware Config

Signatures

Renames multiple (8017) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/2972-9-0x00000000003A0000-0x00000000003CF000-memory.dmp	dave

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 46 IoCs

Processes:

70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F5ZW0CRZ\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P56GQFE8\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K03K2CA5\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EY0DVRIO\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Public\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Jamaica	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NBOOK_01.MID	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\THMBNAIL.PNG	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02263_.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199549.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18248_.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02398_.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\R3ADM3.txt	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\R3ADM3.txt	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02115_.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21305_.GIF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXC	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01793_.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187883.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18201_.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\R3ADM3.txt	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\R3ADM3.txt	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\R3ADM3.txt	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01184_.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285462.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Issue Tracking.gta	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\R3ADM3.txt	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0088542.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195788.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\THMBNAIL.PNG	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00235_.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105348.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152698.WMF	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\R3ADM3.txt	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe

pid	process
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2684	vssvc.exe
Token: SeRestorePrivilege	2684	vssvc.exe
Token: SeAuditPrivilege	2684	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2448	WMIC.exe
Token: SeSecurityPrivilege	2448	WMIC.exe
Token: SeTakeOwnershipPrivilege	2448	WMIC.exe
Token: SeLoadDriverPrivilege	2448	WMIC.exe
Token: SeSystemProfilePrivilege	2448	WMIC.exe
Token: SeSystemtimePrivilege	2448	WMIC.exe
Token: SeProfSingleProcessPrivilege	2448	WMIC.exe
Token: SeIncBasePriorityPrivilege	2448	WMIC.exe
Token: SeCreatePagefilePrivilege	2448	WMIC.exe
Token: SeBackupPrivilege	2448	WMIC.exe
Token: SeRestorePrivilege	2448	WMIC.exe
Token: SeShutdownPrivilege	2448	WMIC.exe
Token: SeDebugPrivilege	2448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2448	WMIC.exe
Token: SeRemoteShutdownPrivilege	2448	WMIC.exe
Token: SeUndockPrivilege	2448	WMIC.exe
Token: SeManageVolumePrivilege	2448	WMIC.exe
Token: 33	2448	WMIC.exe
Token: 34	2448	WMIC.exe
Token: 35	2448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2448	WMIC.exe
Token: SeSecurityPrivilege	2448	WMIC.exe
Token: SeTakeOwnershipPrivilege	2448	WMIC.exe
Token: SeLoadDriverPrivilege	2448	WMIC.exe
Token: SeSystemProfilePrivilege	2448	WMIC.exe
Token: SeSystemtimePrivilege	2448	WMIC.exe
Token: SeProfSingleProcessPrivilege	2448	WMIC.exe
Token: SeIncBasePriorityPrivilege	2448	WMIC.exe
Token: SeCreatePagefilePrivilege	2448	WMIC.exe
Token: SeBackupPrivilege	2448	WMIC.exe
Token: SeRestorePrivilege	2448	WMIC.exe
Token: SeShutdownPrivilege	2448	WMIC.exe
Token: SeDebugPrivilege	2448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2448	WMIC.exe
Token: SeRemoteShutdownPrivilege	2448	WMIC.exe
Token: SeUndockPrivilege	2448	WMIC.exe
Token: SeManageVolumePrivilege	2448	WMIC.exe
Token: 33	2448	WMIC.exe
Token: 34	2448	WMIC.exe
Token: 35	2448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe
Token: SeSecurityPrivilege	2632	WMIC.exe
Token: SeTakeOwnershipPrivilege	2632	WMIC.exe
Token: SeLoadDriverPrivilege	2632	WMIC.exe
Token: SeSystemProfilePrivilege	2632	WMIC.exe
Token: SeSystemtimePrivilege	2632	WMIC.exe
Token: SeProfSingleProcessPrivilege	2632	WMIC.exe
Token: SeIncBasePriorityPrivilege	2632	WMIC.exe
Token: SeCreatePagefilePrivilege	2632	WMIC.exe
Token: SeBackupPrivilege	2632	WMIC.exe
Token: SeRestorePrivilege	2632	WMIC.exe
Token: SeShutdownPrivilege	2632	WMIC.exe
Token: SeDebugPrivilege	2632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2632	WMIC.exe
Token: SeRemoteShutdownPrivilege	2632	WMIC.exe
Token: SeUndockPrivilege	2632	WMIC.exe
Token: SeManageVolumePrivilege	2632	WMIC.exe
Token: 33	2632	WMIC.exe
Token: 34	2632	WMIC.exe
Token: 35	2632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe

pid process

2972 70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2972 wrote to memory of 2948	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2948	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2948	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2948	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2948 wrote to memory of 2448	2948	cmd.exe	WMIC.exe
PID 2948 wrote to memory of 2448	2948	cmd.exe	WMIC.exe
PID 2948 wrote to memory of 2448	2948	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 1920	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1920	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1920	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1920	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 1920 wrote to memory of 2632	1920	cmd.exe	WMIC.exe
PID 1920 wrote to memory of 2632	1920	cmd.exe	WMIC.exe
PID 1920 wrote to memory of 2632	1920	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 2748	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2748	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2748	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2748	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2748 wrote to memory of 2860	2748	cmd.exe	WMIC.exe
PID 2748 wrote to memory of 2860	2748	cmd.exe	WMIC.exe
PID 2748 wrote to memory of 2860	2748	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 2896	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2896	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2896	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2896	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2896 wrote to memory of 2380	2896	cmd.exe	WMIC.exe
PID 2896 wrote to memory of 2380	2896	cmd.exe	WMIC.exe
PID 2896 wrote to memory of 2380	2896	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 1932	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1932	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1932	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1932	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 1932 wrote to memory of 1856	1932	cmd.exe	WMIC.exe
PID 1932 wrote to memory of 1856	1932	cmd.exe	WMIC.exe
PID 1932 wrote to memory of 1856	1932	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 288	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 288	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 288	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 288	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 288 wrote to memory of 2016	288	cmd.exe	WMIC.exe
PID 288 wrote to memory of 2016	288	cmd.exe	WMIC.exe
PID 288 wrote to memory of 2016	288	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 1908	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1908	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1908	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1908	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 1908 wrote to memory of 2680	1908	cmd.exe	WMIC.exe
PID 1908 wrote to memory of 2680	1908	cmd.exe	WMIC.exe
PID 1908 wrote to memory of 2680	1908	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 1500	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1500	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1500	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 1500	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 1500 wrote to memory of 1564	1500	cmd.exe	WMIC.exe
PID 1500 wrote to memory of 1564	1500	cmd.exe	WMIC.exe
PID 1500 wrote to memory of 1564	1500	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 2240	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2240	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2240	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2240	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 2216	2240	cmd.exe	WMIC.exe
PID 2240 wrote to memory of 2216	2240	cmd.exe	WMIC.exe
PID 2240 wrote to memory of 2216	2240	cmd.exe	WMIC.exe
PID 2972 wrote to memory of 2024	2972	70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70b0fe3702cbab6ab0c09a775fd6b539_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FCB38AC8-5BF2-452F-A0B4-74358AF58331}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FCB38AC8-5BF2-452F-A0B4-74358AF58331}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CF317DE3-BF08-4258-88F3-B0A6BE6FF3DC}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CF317DE3-BF08-4258-88F3-B0A6BE6FF3DC}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E1A2FE1-97E7-4197-AAE3-8A4DC402BCF8}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E1A2FE1-97E7-4197-AAE3-8A4DC402BCF8}'" delete
    3⤵
    PID:2860
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7E2111EF-62A0-462A-942F-4D77FC57EBA7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7E2111EF-62A0-462A-942F-4D77FC57EBA7}'" delete
    3⤵
    PID:2380
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3912F70D-A99E-4F55-98AA-43C072C75BF1}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3912F70D-A99E-4F55-98AA-43C072C75BF1}'" delete
    3⤵
    PID:1856
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34D7511E-8275-4DF8-BCF5-B1DA649EF546}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34D7511E-8275-4DF8-BCF5-B1DA649EF546}'" delete
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CE92E214-5D12-40F6-AC80-823310FFDFB7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CE92E214-5D12-40F6-AC80-823310FFDFB7}'" delete
    3⤵
    PID:2680
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{551CD9D2-11CB-4C6F-8ADC-3D3928EBC7C3}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{551CD9D2-11CB-4C6F-8ADC-3D3928EBC7C3}'" delete
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{858631E3-F88B-4FEC-A74B-04A70E74F805}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{858631E3-F88B-4FEC-A74B-04A70E74F805}'" delete
    3⤵
    PID:2216
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A7E57876-9FE2-449C-9015-DB7EBB30A5D0}'" delete
  2⤵
  PID:2024
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A7E57876-9FE2-449C-9015-DB7EBB30A5D0}'" delete
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CA8D1F8-B473-4500-B83A-B8635829D287}'" delete
  2⤵
  PID:2012
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CA8D1F8-B473-4500-B83A-B8635829D287}'" delete
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D7DA3F3-8F82-4D4A-BFCB-C1C06F1F726E}'" delete
  2⤵
  PID:532
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8D7DA3F3-8F82-4D4A-BFCB-C1C06F1F726E}'" delete
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{058745A6-C542-4EEF-9279-65DB499EDA79}'" delete
  2⤵
  PID:1616
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{058745A6-C542-4EEF-9279-65DB499EDA79}'" delete
    3⤵
    PID:1792
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2B9E404A-B100-4D3D-AA15-CC7B233C6988}'" delete
  2⤵
  PID:1164
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2B9E404A-B100-4D3D-AA15-CC7B233C6988}'" delete
    3⤵
    PID:604
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{92DC6E8B-FBF2-453C-AF69-61FA7D811DCF}'" delete
  2⤵
  PID:3024
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{92DC6E8B-FBF2-453C-AF69-61FA7D811DCF}'" delete
    3⤵
    PID:448
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7C7FA08F-BC2C-483C-871A-29E57DDC73C2}'" delete
  2⤵
  PID:3020
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7C7FA08F-BC2C-483C-871A-29E57DDC73C2}'" delete
    3⤵
    PID:1592
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B187535-CA9B-427C-A9FB-7E8CC535707B}'" delete
  2⤵
  PID:2792
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B187535-CA9B-427C-A9FB-7E8CC535707B}'" delete
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45B8D93A-03B9-4DE3-BFE4-D0BC33383D0D}'" delete
  2⤵
  PID:1552
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45B8D93A-03B9-4DE3-BFE4-D0BC33383D0D}'" delete
    3⤵
    PID:1596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\R3ADM3.txt

Filesize
223B

MD5
b4f717b15c12f77abb29467fda9b8289

SHA1
bb52fcf3925c992e772eccc237f506cc725d7859

SHA256
469aade655b9400da980dbeb13429b36ec56ce46851dacc168892754b5b17ddb

SHA512
9a4a82424a8cacdeaab6f823187f38d64655075a7175a3abbb359449d8b527859f9a203d98f7f188e788aa78ede880ba89adb76a86bf79ce881e002cf6c94fbb

Download Submit
memory/2972-0-0x0000000001E30000-0x0000000001E62000-memory.dmp

Filesize
200KB

Download
memory/2972-9-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/2972-4-0x0000000001E70000-0x0000000001EA1000-memory.dmp

Filesize
196KB

Download