blackshades | f9ebbf31433fe096b85efd20e808bf811fd0623406ad528246a4ec24d2380ca4

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a168a3e87ad513360084f51576a80435.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_a168a3e87ad513360084f51576a80435.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\WinDefender.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

UAC bypass 3 TTPs 64 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe

Windows security bypass 2 TTPs 64 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe"	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A03CECFC-ADBE-D7EC-2DCD-E7BA2FBBDCFF}	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A03CECFC-ADBE-D7EC-2DCD-E7BA2FBBDCFF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe"	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A03CECFC-ADBE-D7EC-2DCD-E7BA2FBBDCFF}	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A03CECFC-ADBE-D7EC-2DCD-E7BA2FBBDCFF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe"	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe

Executes dropped EXE 64 IoCs

pid	Process
4668	WinDefender.exe
4624	WinDefender.exe
4948	WinDefender.exe
2472	WinDefender.exe
3368	WinDefender.exe
6096	WinDefender.exe
3864	WinDefender.exe
2980	WinDefender.exe
3820	WinDefender.exe
1072	WinDefender.exe
2696	WinDefender.exe
2740	WinDefender.exe
1780	WinDefender.exe
5084	WinDefender.exe
5228	WinDefender.exe
1748	WinDefender.exe
5124	WinDefender.exe
3460	WinDefender.exe
752	WinDefender.exe
2216	WinDefender.exe
5432	WinDefender.exe
5092	WinDefender.exe
2124	WinDefender.exe
3568	WinDefender.exe
4624	WinDefender.exe
4656	WinDefender.exe
3344	WinDefender.exe
4864	WinDefender.exe
5364	WinDefender.exe
1568	WinDefender.exe
2400	WinDefender.exe
4724	WinDefender.exe
2724	WinDefender.exe
968	WinDefender.exe
1068	WinDefender.exe
5520	WinDefender.exe
5860	WinDefender.exe
636	WinDefender.exe
5320	WinDefender.exe
408	WinDefender.exe
5492	WinDefender.exe
3708	WinDefender.exe
2156	WinDefender.exe
4664	WinDefender.exe
4652	WinDefender.exe
4796	WinDefender.exe
1564	WinDefender.exe
4732	WinDefender.exe
2856	WinDefender.exe
1216	WinDefender.exe
3604	WinDefender.exe
5328	WinDefender.exe
4720	WinDefender.exe
852	WinDefender.exe
4612	WinDefender.exe
6024	WinDefender.exe
2116	WinDefender.exe
1324	WinDefender.exe
668	WinDefender.exe
1072	WinDefender.exe
4800	WinDefender.exe
864	WinDefender.exe
5688	WinDefender.exe
5752	WinDefender.exe

Windows security modification 2 TTPs 64 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	WinDefender.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe"	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefender.exe"	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 5776 set thread context of 508	5776	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	85
PID 4624 set thread context of 4948	4624	WinDefender.exe	100
PID 4668 set thread context of 2472	4668	WinDefender.exe	101
PID 3368 set thread context of 3864	3368	WinDefender.exe	109
PID 6096 set thread context of 2980	6096	WinDefender.exe	110
PID 3820 set thread context of 2696	3820	WinDefender.exe	131
PID 1072 set thread context of 2740	1072	WinDefender.exe	132
PID 1780 set thread context of 1748	1780	WinDefender.exe	139
PID 5084 set thread context of 5228	5084	WinDefender.exe	140
PID 5124 set thread context of 752	5124	WinDefender.exe	147
PID 3460 set thread context of 2216	3460	WinDefender.exe	148
PID 5432 set thread context of 2124	5432	WinDefender.exe	155
PID 5092 set thread context of 3568	5092	WinDefender.exe	156
PID 4624 set thread context of 3344	4624	WinDefender.exe	163
PID 4656 set thread context of 4864	4656	WinDefender.exe	164
PID 1568 set thread context of 4724	1568	WinDefender.exe	172
PID 5364 set thread context of 2400	5364	WinDefender.exe	171
PID 2724 set thread context of 1068	2724	WinDefender.exe	179
PID 968 set thread context of 5520	968	WinDefender.exe	180
PID 636 set thread context of 408	636	WinDefender.exe	189
PID 5860 set thread context of 5320	5860	WinDefender.exe	188
PID 3708 set thread context of 2156	3708	WinDefender.exe	200
PID 5492 set thread context of 4664	5492	WinDefender.exe	201
PID 4652 set thread context of 1564	4652	WinDefender.exe	212
PID 4796 set thread context of 4732	4796	WinDefender.exe	213
PID 2856 set thread context of 3604	2856	WinDefender.exe	220
PID 1216 set thread context of 5328	1216	WinDefender.exe	221
PID 852 set thread context of 6024	852	WinDefender.exe	229
PID 4720 set thread context of 4612	4720	WinDefender.exe	228
PID 2116 set thread context of 668	2116	WinDefender.exe	236
PID 1324 set thread context of 1072	1324	WinDefender.exe	237
PID 4800 set thread context of 5688	4800	WinDefender.exe	244
PID 864 set thread context of 5752	864	WinDefender.exe	245
PID 5368 set thread context of 4064	5368	WinDefender.exe	253
PID 5956 set thread context of 3708	5956	WinDefender.exe	252
PID 700 set thread context of 5212	700	WinDefender.exe	261
PID 448 set thread context of 4556	448	WinDefender.exe	260
PID 4760 set thread context of 5132	4760	WinDefender.exe	268
PID 4624 set thread context of 4868	4624	WinDefender.exe	269
PID 4880 set thread context of 388	4880	WinDefender.exe	277
PID 4508 set thread context of 5424	4508	WinDefender.exe	276
PID 3940 set thread context of 884	3940	WinDefender.exe	286
PID 724 set thread context of 1496	724	WinDefender.exe	285
PID 5880 set thread context of 3056	5880	WinDefender.exe	293
PID 5624 set thread context of 2208	5624	WinDefender.exe	294
PID 4876 set thread context of 2752	4876	WinDefender.exe	301
PID 1652 set thread context of 3868	1652	WinDefender.exe	302
PID 4328 set thread context of 548	4328	WinDefender.exe	309
PID 624 set thread context of 1428	624	WinDefender.exe	317
PID 4960 set thread context of 3268	4960	WinDefender.exe	318
PID 452 set thread context of 2236	452	WinDefender.exe	325
PID 4512 set thread context of 1672	4512	WinDefender.exe	326
PID 4824 set thread context of 3484	4824	WinDefender.exe	333
PID 3744 set thread context of 4776	3744	WinDefender.exe	334
PID 2120 set thread context of 4380	2120	WinDefender.exe	342
PID 532 set thread context of 4836	532	WinDefender.exe	341
PID 1420 set thread context of 4720	1420	WinDefender.exe	349
PID 3368 set thread context of 5172	3368	WinDefender.exe	350
PID 1384 set thread context of 1460	1384	WinDefender.exe	357
PID 1592 set thread context of 4376	1592	WinDefender.exe	358
PID 1556 set thread context of 5472	1556	WinDefender.exe	366
PID 1856 set thread context of 1716	1856	WinDefender.exe	365
PID 5200 set thread context of 5232	5200	WinDefender.exe	373
PID 5488 set thread context of 5756	5488	WinDefender.exe	374

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/508-2-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/508-5-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/508-6-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/508-7-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4948-39-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2472-41-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/508-43-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3864-65-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2980-67-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/508-72-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2696-96-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2740-100-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1748-124-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/5228-127-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2216-153-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/752-150-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2124-176-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3568-179-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4864-204-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3344-207-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2400-230-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4724-233-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1068-256-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/5520-259-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/408-285-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/5320-288-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2156-311-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4664-314-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4732-340-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1564-337-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/5328-366-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3604-369-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/6024-392-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4612-395-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/668-418-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1072-421-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/5752-448-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/5688-445-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3708-467-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4064-470-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4556-489-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/5212-493-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/5132-518-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4868-515-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/388-537-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/5424-540-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1496-562-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/884-565-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2208-584-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3056-587-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2752-606-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3868-609-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/548-628-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3172-631-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1428-639-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1428-651-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3268-654-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1672-676-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2236-673-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3484-699-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4776-702-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4836-721-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4380-724-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/5172-735-0x0000000000400000-0x000000000045D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDefender.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

pid	Process
3968	reg.exe
3432	reg.exe
636	reg.exe
5988	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	5776	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: 1	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeCreateTokenPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeAssignPrimaryTokenPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeLockMemoryPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeIncreaseQuotaPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeMachineAccountPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeTcbPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeSecurityPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeTakeOwnershipPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeLoadDriverPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeSystemProfilePrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeSystemtimePrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeProfSingleProcessPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeIncBasePriorityPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeCreatePagefilePrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeCreatePermanentPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeBackupPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeRestorePrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeShutdownPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeDebugPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeAuditPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeSystemEnvironmentPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeChangeNotifyPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeRemoteShutdownPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeUndockPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeSyncAgentPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeEnableDelegationPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeManageVolumePrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeImpersonatePrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeCreateGlobalPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: 31	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: 32	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: 33	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: 34	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: 35	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeBackupPrivilege	4624	WinDefender.exe
Token: SeBackupPrivilege	4668	WinDefender.exe
Token: SeBackupPrivilege	3368	WinDefender.exe
Token: SeBackupPrivilege	6096	WinDefender.exe
Token: SeDebugPrivilege	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Token: SeBackupPrivilege	3820	WinDefender.exe
Token: SeBackupPrivilege	1072	WinDefender.exe
Token: SeBackupPrivilege	1780	WinDefender.exe
Token: SeBackupPrivilege	5084	WinDefender.exe
Token: SeBackupPrivilege	5124	WinDefender.exe
Token: SeBackupPrivilege	3460	WinDefender.exe
Token: SeBackupPrivilege	5432	WinDefender.exe
Token: SeBackupPrivilege	5092	WinDefender.exe
Token: SeBackupPrivilege	4624	WinDefender.exe
Token: SeBackupPrivilege	4656	WinDefender.exe
Token: SeBackupPrivilege	5364	WinDefender.exe
Token: SeBackupPrivilege	1568	WinDefender.exe
Token: SeBackupPrivilege	2724	WinDefender.exe
Token: SeBackupPrivilege	968	WinDefender.exe
Token: SeBackupPrivilege	5860	WinDefender.exe
Token: SeBackupPrivilege	636	WinDefender.exe
Token: SeBackupPrivilege	5492	WinDefender.exe
Token: SeBackupPrivilege	3708	WinDefender.exe
Token: SeBackupPrivilege	4652	WinDefender.exe
Token: SeBackupPrivilege	4796	WinDefender.exe
Token: SeBackupPrivilege	2856	WinDefender.exe
Token: SeBackupPrivilege	1216	WinDefender.exe
Token: SeBackupPrivilege	4720	WinDefender.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5776	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
4624	WinDefender.exe
4668	WinDefender.exe
4948	WinDefender.exe
4948	WinDefender.exe
2472	WinDefender.exe
2472	WinDefender.exe
3368	WinDefender.exe
6096	WinDefender.exe
3864	WinDefender.exe
3864	WinDefender.exe
2980	WinDefender.exe
2980	WinDefender.exe
508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
3820	WinDefender.exe
1072	WinDefender.exe
2696	WinDefender.exe
2696	WinDefender.exe
2740	WinDefender.exe
2740	WinDefender.exe
1780	WinDefender.exe
5084	WinDefender.exe
5228	WinDefender.exe
1748	WinDefender.exe
5228	WinDefender.exe
1748	WinDefender.exe
5124	WinDefender.exe
3460	WinDefender.exe
752	WinDefender.exe
2216	WinDefender.exe
752	WinDefender.exe
2216	WinDefender.exe
5432	WinDefender.exe
5092	WinDefender.exe
2124	WinDefender.exe
2124	WinDefender.exe
3568	WinDefender.exe
3568	WinDefender.exe
4624	WinDefender.exe
4656	WinDefender.exe
4864	WinDefender.exe
3344	WinDefender.exe
4864	WinDefender.exe
3344	WinDefender.exe
5364	WinDefender.exe
1568	WinDefender.exe
2400	WinDefender.exe
4724	WinDefender.exe
2400	WinDefender.exe
4724	WinDefender.exe
2724	WinDefender.exe
968	WinDefender.exe
1068	WinDefender.exe
5520	WinDefender.exe
1068	WinDefender.exe
5520	WinDefender.exe
5860	WinDefender.exe
636	WinDefender.exe
408	WinDefender.exe
5320	WinDefender.exe
5320	WinDefender.exe
408	WinDefender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5776 wrote to memory of 508	5776	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	85
PID 5776 wrote to memory of 508	5776	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	85
PID 5776 wrote to memory of 508	5776	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	85
PID 5776 wrote to memory of 508	5776	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	85
PID 5776 wrote to memory of 508	5776	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	85
PID 5776 wrote to memory of 508	5776	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	85
PID 5776 wrote to memory of 508	5776	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	85
PID 5776 wrote to memory of 508	5776	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	85
PID 3836 wrote to memory of 4668	3836	cmd.exe	98
PID 3836 wrote to memory of 4668	3836	cmd.exe	98
PID 3836 wrote to memory of 4668	3836	cmd.exe	98
PID 3344 wrote to memory of 4624	3344	cmd.exe	99
PID 3344 wrote to memory of 4624	3344	cmd.exe	99
PID 3344 wrote to memory of 4624	3344	cmd.exe	99
PID 4624 wrote to memory of 4948	4624	WinDefender.exe	100
PID 4624 wrote to memory of 4948	4624	WinDefender.exe	100
PID 4624 wrote to memory of 4948	4624	WinDefender.exe	100
PID 4624 wrote to memory of 4948	4624	WinDefender.exe	100
PID 4624 wrote to memory of 4948	4624	WinDefender.exe	100
PID 4624 wrote to memory of 4948	4624	WinDefender.exe	100
PID 4624 wrote to memory of 4948	4624	WinDefender.exe	100
PID 4624 wrote to memory of 4948	4624	WinDefender.exe	100
PID 4668 wrote to memory of 2472	4668	WinDefender.exe	101
PID 4668 wrote to memory of 2472	4668	WinDefender.exe	101
PID 4668 wrote to memory of 2472	4668	WinDefender.exe	101
PID 4668 wrote to memory of 2472	4668	WinDefender.exe	101
PID 4668 wrote to memory of 2472	4668	WinDefender.exe	101
PID 4668 wrote to memory of 2472	4668	WinDefender.exe	101
PID 4668 wrote to memory of 2472	4668	WinDefender.exe	101
PID 4668 wrote to memory of 2472	4668	WinDefender.exe	101
PID 6076 wrote to memory of 3368	6076	cmd.exe	107
PID 6076 wrote to memory of 3368	6076	cmd.exe	107
PID 6076 wrote to memory of 3368	6076	cmd.exe	107
PID 3384 wrote to memory of 6096	3384	cmd.exe	108
PID 3384 wrote to memory of 6096	3384	cmd.exe	108
PID 3384 wrote to memory of 6096	3384	cmd.exe	108
PID 3368 wrote to memory of 3864	3368	WinDefender.exe	109
PID 3368 wrote to memory of 3864	3368	WinDefender.exe	109
PID 3368 wrote to memory of 3864	3368	WinDefender.exe	109
PID 3368 wrote to memory of 3864	3368	WinDefender.exe	109
PID 3368 wrote to memory of 3864	3368	WinDefender.exe	109
PID 3368 wrote to memory of 3864	3368	WinDefender.exe	109
PID 3368 wrote to memory of 3864	3368	WinDefender.exe	109
PID 3368 wrote to memory of 3864	3368	WinDefender.exe	109
PID 6096 wrote to memory of 2980	6096	WinDefender.exe	110
PID 6096 wrote to memory of 2980	6096	WinDefender.exe	110
PID 6096 wrote to memory of 2980	6096	WinDefender.exe	110
PID 6096 wrote to memory of 2980	6096	WinDefender.exe	110
PID 6096 wrote to memory of 2980	6096	WinDefender.exe	110
PID 6096 wrote to memory of 2980	6096	WinDefender.exe	110
PID 6096 wrote to memory of 2980	6096	WinDefender.exe	110
PID 6096 wrote to memory of 2980	6096	WinDefender.exe	110
PID 508 wrote to memory of 2424	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	113
PID 508 wrote to memory of 2424	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	113
PID 508 wrote to memory of 2424	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	113
PID 508 wrote to memory of 2232	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	114
PID 508 wrote to memory of 2232	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	114
PID 508 wrote to memory of 2232	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	114
PID 508 wrote to memory of 1940	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	115
PID 508 wrote to memory of 1940	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	115
PID 508 wrote to memory of 1940	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	115
PID 508 wrote to memory of 3488	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	116
PID 508 wrote to memory of 3488	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	116
PID 508 wrote to memory of 3488	508	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe	116

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WinDefender.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a168a3e87ad513360084f51576a80435.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5776
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a168a3e87ad513360084f51576a80435.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    PID:2424
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a168a3e87ad513360084f51576a80435.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a168a3e87ad513360084f51576a80435.exe:*:Enabled:Windows Messanger" /f
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a168a3e87ad513360084f51576a80435.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a168a3e87ad513360084f51576a80435.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
    3⤵
    PID:3488
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\WinDefender.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinDefender.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4668
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6076
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3368
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:6096
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5488
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3820
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1312
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1072
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1768
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1780
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2888
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5084
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5956
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3460
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:632
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5124
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4332
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:5432
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5928
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:5092
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4716
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4624
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3896
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4656
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4676
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5364
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4872
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1568
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:6096
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2724
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5804
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:968
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1968
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:5860
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4376
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:636
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3880
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5492
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2316
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:3708
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4728
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4652
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1120
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4796
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1004
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2856
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4368
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1216
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1148
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:852
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1764
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4720
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1556
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:1324
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4892
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:2116
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:932
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:4800
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3820
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:864
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - Executes dropped EXE
    PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3436
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:5368
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1540
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:5956
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1732
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:448
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4088
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:700
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4284
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:4624
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1992
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:4760
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4668
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:4880
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5420
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:4508
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5328
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:3940
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5148
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:724
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3064
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:5880
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1184
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:5624
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2544
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:4876
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4564
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:1652
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4408
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Windows security modification
  - System policy modification
  PID:224
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1940
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:4328
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1532
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4960
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1312
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:624
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4900
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:4512
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5872
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:452
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3276
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:4824
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4728
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:3744
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4832
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:2120
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5284
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:532
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1956
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:1420
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3452
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:3368
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2412
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:1384
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4872
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:1592
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1764
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:1556
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3064
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:1856
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:636
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:5200
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5896
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:5488
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4400
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:1016
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3128
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:1612
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4472
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - System policy modification
  PID:2008
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2288
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:660
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5784
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:1732
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3892
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security modification
  - System Location Discovery: System Language Discovery
  PID:5356
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2016
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:5612
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4616
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - System policy modification
  PID:4860
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:3092
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  PID:4508
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5660
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:4976
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4676
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - System policy modification
  PID:5980
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2832
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - System policy modification
  PID:2616
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4368
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - System policy modification
  PID:4028
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1544
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Windows security modification
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:4980
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2812
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:3680
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4872
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - System policy modification
  PID:5764
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5820
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  PID:1696
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:5944
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:3036
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2112
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security modification
  PID:5604
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:1484
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:5348
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:2008
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  PID:624
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WinDefender.exe
1⤵
PID:4416
- C:\Users\Admin\AppData\Roaming\WinDefender.exe
  C:\Users\Admin\AppData\Roaming\WinDefender.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  PID:6008
- - C:\Users\Admin\AppData\Roaming\WinDefender.exe
    C:\Users\Admin\AppData\Roaming\WinDefender.exe
    3⤵
    PID:1844

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry