Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/12/2024, 05:25
Static task
static1
Behavioral task
behavioral1
Sample
ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe
-
Size
530KB
-
MD5
ea184a14a40394f152e2c08eb9ba62ee
-
SHA1
80a98688698a29681588d5fa23382b1fa33279b5
-
SHA256
46a8154f10cee5ed12613adee278ae790a10b359191ce045e94d0d8191f1389d
-
SHA512
d0232a2e16c8bf3e160446ee139c23ee0562b0e0161aa1153af84452be0db7a859a5a27e9e1f917186b25339f9be1a298218d21021f12a5758d07e0ff3156ac6
-
SSDEEP
6144:GrtIRxHou3JQW6ioI+CCeNsHLFwoRgv/uxEj0qqVqOjgsVP/RG4vDuK8tFAnpLLC:GORP36Wz8CCeMF5s2jBLG4buJgtY6qZ
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H46e00dG50o69X.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe = "0" ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\AhdRyd002Xk0002\svchost.exe = "0" ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe = "0" ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4832 powershell.exe 4292 powershell.exe 4200 powershell.exe 2316 powershell.exe 4772 powershell.exe 2840 powershell.exe 468 powershell.exe 4884 powershell.exe 1788 powershell.exe 2140 powershell.exe 1692 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation H46e00dG50o69X.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3516 H46e00dG50o69X.exe 1640 H46e00dG50o69X.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe = "0" ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe = "0" ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\AhdRyd002Xk0002\svchost.exe = "0" ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\H46e00dG50o69X = "C:\\Users\\Public\\Documents\\AhdRyd002Xk0002\\svchost.exe" ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\H46e00dG50o69X = "C:\\Users\\Public\\Documents\\AhdRyd002Xk0002\\svchost.exe" H46e00dG50o69X.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA H46e00dG50o69X.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H46e00dG50o69X.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language H46e00dG50o69X.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 4772 powershell.exe 1788 powershell.exe 2140 powershell.exe 2840 powershell.exe 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 468 powershell.exe 468 powershell.exe 4772 powershell.exe 4772 powershell.exe 4292 powershell.exe 4292 powershell.exe 1788 powershell.exe 1788 powershell.exe 4832 powershell.exe 4832 powershell.exe 3516 H46e00dG50o69X.exe 3516 H46e00dG50o69X.exe 4200 powershell.exe 4200 powershell.exe 2840 powershell.exe 2840 powershell.exe 2140 powershell.exe 2140 powershell.exe 468 powershell.exe 1692 powershell.exe 1692 powershell.exe 2316 powershell.exe 2316 powershell.exe 4292 powershell.exe 4884 powershell.exe 4884 powershell.exe 4832 powershell.exe 4200 powershell.exe 1692 powershell.exe 2316 powershell.exe 4884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Token: SeDebugPrivilege 468 powershell.exe Token: SeDebugPrivilege 4292 powershell.exe Token: SeDebugPrivilege 4832 powershell.exe Token: SeDebugPrivilege 4200 powershell.exe Token: SeDebugPrivilege 3516 H46e00dG50o69X.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 4884 powershell.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4940 wrote to memory of 1788 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 85 PID 4940 wrote to memory of 1788 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 85 PID 4940 wrote to memory of 1788 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 85 PID 4940 wrote to memory of 4772 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 87 PID 4940 wrote to memory of 4772 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 87 PID 4940 wrote to memory of 4772 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 87 PID 4940 wrote to memory of 2840 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 89 PID 4940 wrote to memory of 2840 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 89 PID 4940 wrote to memory of 2840 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 89 PID 4940 wrote to memory of 2140 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 91 PID 4940 wrote to memory of 2140 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 91 PID 4940 wrote to memory of 2140 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 91 PID 4940 wrote to memory of 3516 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 93 PID 4940 wrote to memory of 3516 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 93 PID 4940 wrote to memory of 3516 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 93 PID 4940 wrote to memory of 468 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 94 PID 4940 wrote to memory of 468 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 94 PID 4940 wrote to memory of 468 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 94 PID 4940 wrote to memory of 4832 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 96 PID 4940 wrote to memory of 4832 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 96 PID 4940 wrote to memory of 4832 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 96 PID 4940 wrote to memory of 4292 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 98 PID 4940 wrote to memory of 4292 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 98 PID 4940 wrote to memory of 4292 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 98 PID 3516 wrote to memory of 4200 3516 H46e00dG50o69X.exe 100 PID 3516 wrote to memory of 4200 3516 H46e00dG50o69X.exe 100 PID 3516 wrote to memory of 4200 3516 H46e00dG50o69X.exe 100 PID 4940 wrote to memory of 3064 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 102 PID 4940 wrote to memory of 3064 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 102 PID 4940 wrote to memory of 3064 4940 ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe 102 PID 3516 wrote to memory of 1692 3516 H46e00dG50o69X.exe 103 PID 3516 wrote to memory of 1692 3516 H46e00dG50o69X.exe 103 PID 3516 wrote to memory of 1692 3516 H46e00dG50o69X.exe 103 PID 3516 wrote to memory of 2316 3516 H46e00dG50o69X.exe 105 PID 3516 wrote to memory of 2316 3516 H46e00dG50o69X.exe 105 PID 3516 wrote to memory of 2316 3516 H46e00dG50o69X.exe 105 PID 3516 wrote to memory of 4884 3516 H46e00dG50o69X.exe 107 PID 3516 wrote to memory of 4884 3516 H46e00dG50o69X.exe 107 PID 3516 wrote to memory of 4884 3516 H46e00dG50o69X.exe 107 PID 3516 wrote to memory of 1640 3516 H46e00dG50o69X.exe 109 PID 3516 wrote to memory of 1640 3516 H46e00dG50o69X.exe 109 PID 3516 wrote to memory of 1640 3516 H46e00dG50o69X.exe 109 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" H46e00dG50o69X.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\AhdRyd002Xk0002\svchost.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\AhdRyd002Xk0002\svchost.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H46e00dG50o69X.exe"3⤵
- Executes dropped EXE
PID:1640
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\AhdRyd002Xk0002\svchost.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\AhdRyd002Xk0002\svchost.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118.exe"2⤵PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD58a55804eb03a434490f09a486d092b33
SHA1ba7388faf188f3f6c1491b237e687f77ef5b507f
SHA2567a9179df2d07f4aa90505eb43e96849980aa2f606188a62d6bd274ff32d87695
SHA5122a2a6e8eccbd7803dd4757bc584f06f3409c826ef3be2bf4eba68e63825875cee9245c49eecfc5d25233a96179c491a4f84890a612b5a8a45e03e4a560881351
-
Filesize
18KB
MD5873b6e23e13376607989a290c55e6f44
SHA13a9b595444e78c45317a83d814e4dd7cad10e128
SHA256eb0ebdcaf4083205bb9bdedd9a5b37244f3b18896c1333637937afef38d71e0a
SHA5120c847a592a8f66bfd0d94bf649236180d7f903c39e04874f0fa23c73e046c975f55af3751ba1b42340f1fc8b91312d6c428920ab2ddc7ea0b3955f9ad7d0b994
-
Filesize
18KB
MD5127b8a8f71649d00cd4315ea570b16a5
SHA137655307f831fb9d642e65adcaea135a39c69c0a
SHA256779c2ce03d2eb8e7778df0dc5f4d7f0bda8642aed9654ae412fbd059a77b4b97
SHA512db29350353e9ede2aaa1d4b760a4a2dbe240bc23b72671d6f2667f36716fe7bbbad8fa4062d895072324977d446278a1c86ae27a7702266356dae0af2ddbcce5
-
Filesize
18KB
MD52a0b917aa88ccb16a254c6307cf75380
SHA18352a03d6e0d200047c0d199dd750b76035f776b
SHA2568730263dcea81b473171f967c5624823b09a9bc36632d46db8c94666cf1db4ef
SHA5122f87b16f282a30e013315f4249d0135b887dc4e6e0278013f0147075f54444c5d26f285e0d6190604ce0905ab0173a89ea6815820b79634398c42c6270c141da
-
Filesize
18KB
MD5314300ca274bedb706bda214e58054eb
SHA1dd56f8598dbc1be93a9c7f3c6c93414612a8469b
SHA256147ba478f92330bea804ea3bbe11394f4db64ef0a12e932915d80d8d19aff939
SHA512651f96fc9c8c990646b4c89b450902993e7bf3e9261bebb722304a7b6af8769e967efed8274d70158550197c7edcf9b0e157b96d3062dd325375546307bc5efc
-
Filesize
18KB
MD5e320840dce4223bd7130a74a4a644da6
SHA16890db0054912cb418767ae052c7e3607bd41754
SHA2564d8390d7154d4dbfb7b3057207853e7a66fe50ff38e4298dc91a0247ffb62be6
SHA5128307708de3f6dee638bac3a390d93df1d04c7a474fe8621d902ad10a447b0242cd1c981f13961e7497a1fe76fcd8433b8c5db1484262b7dca6a7878ae8f01ade
-
Filesize
18KB
MD5685d2494a7772369b20461a57e2e5bf5
SHA1c12b9cb96da2cca25bf1de7ade24c21b29ce594e
SHA2560d1fbff057cf03362bb5788384a89efaad48d13eb896065ebc1734e8699836ef
SHA512a54d70b005cdc73f7defaf1c3998df0c5ee5a9a835f6fb79d430e7fb511075e2f013e4199d2d20a045a6f5a6fc1b4777adfc9b6ee46cd195127e562079eeceed
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
530KB
MD5ea184a14a40394f152e2c08eb9ba62ee
SHA180a98688698a29681588d5fa23382b1fa33279b5
SHA25646a8154f10cee5ed12613adee278ae790a10b359191ce045e94d0d8191f1389d
SHA512d0232a2e16c8bf3e160446ee139c23ee0562b0e0161aa1153af84452be0db7a859a5a27e9e1f917186b25339f9be1a298218d21021f12a5758d07e0ff3156ac6