exorcist | dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620

Resubmissions

16-08-2024 12:27

240816-pm43raycrm 10

Analysis

max time kernel
141s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Size

68KB
MD5

9e5c89c84cdbf460fc6857c4e32dafdf
SHA1

ee0a95846ce48c59261eda0fdd6b38dfc83d9f4d
SHA256

dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620
SHA512

6da517ae5159ebcb0ac138b34215924fb21adae619c3c15ede6863866648e445633f482b2beaddbe74de66b48e18d106dbde3253ee2d3ce86da667f7f8494cd8
SSDEEP

1536:7ufJPTAoUei1obcxtZbW3BqlIS2IyUY4h2wEsOolJT+y9v:7upTAneif03BqarUY4l

Score

10^/10

exorcist discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\DECRYPT-QCDPay-decrypt.hta

Ransom Note

<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>QCDPay Decrypt</title><style type="text/css">body { text-align: center; background: rgb(192, 176, 176); color: black; font-family: Arial, Helvetica, sans-serif; font-size: 14pt;}a { cursor: pointer; color: rgb(68, 68, 68);}textarea { width: 90%; height: 200px; background: black; color: white; border: 1px solid black; font-size: 12pt; font-weight: bold;}</style></head><body><h1>QCDPay Decrypt</h1><h3>All your data has been encrypted with Exorcist 2.0 Ransomware.</h3><h3>Do not worry: you have some hours to contact us and decrypt your data by paying a ransom.</h3><h3>If you don't pay in time, price will be increased. Then, if the payment is still not received, your keys will be destroyed.</h3><h3>To do this, install Tor Browser (here: <a href='https://www.torproject.org/download/'>https://www.torproject.org/download/</a>) and follow instructions on this web site: <a href='http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/'>http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/</a></h3><h3>IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data!</h3><hr><h2>Your authorization key:</h2><textarea readonly>Nvf6NPsvzmLPymJl6JACK8o1ItMTT345jNKFakHZqQJuD3LsTBSIan0uDgAo/L4J MiZiCvhneooqxrQ8vS/7QBkjGkL73Gx9MIHCozv25PFvJT/JEdDTRVgSiI6hDMno GZ8/vOh6Hl1OOAKGonq/mim2Pn9qnIx9BpYT/FfZdJnDNY+IyRFlTWJdIxIsf1HN ZIwcrsuw6+FzEt2XXweMV7TOESVq7jyswEV/QOwnF+H2Yk7QhJhGR64AnLulq1Q4 bglMuQ2JxYBhAV2Efguxc2LxCs+uSty+kFsZrLxpF9pcRskrHw/e41esqD0x/P3V GHQ8GfarbzhWezxGSz7XpPK5Vuds/MdLFrq+J6Qf1ODQlRHHxTfOHlstEEKRMDvy JAWlnwZLc3fBPHV0uK3EblfXi4rhH87yaZcyc8P4qssvVfWzb0prekiP6AK38wsr EpBXZ9Tlnfvv5H9+OQGV+U2lAS7WKPDPigFachcIzwMpqnV4wJ3v+pnGHNbW/XfW xitZ8LikOKRu5pwvDwRpxpB0KpR75HwrUnYaLT3qgTCxt90/p9M4cERn35zlEJ8N SoAPs/hnRej51CzibPHrGNVbA/m/cqsvDv4EA7yPIe/sC1BLpgnwnoU2/Gg7E6sr isvvoqPGWE5gaVJ0cwG50hXQSpD3A1KcRzd8UfSDQ5LESqe4wf0XDPEhVZpQ1Vbc w4zt0BjYPjY15I2U2BfpybeDcbTQB3OnWXwfgXYVb7Zh8Qt2SlzVUo4cIZeZ9FXI TC9a0/uCjf3i9ks8+SWfOtPTsARkBM28Ilqely+0qKQZb2QhQSaiK3fdSjt6i0DI /6f0zzVvpKDZdGqvbrNZGf7E85YcDkV5M/+XnRPHDI2bIR78dKNApR2FVYkR38K9 MrK2xZhjcVN5XOQVfKeOGE4giR3B2VDR38+U1D4BPTWlvSCzS6eunzLndFZGYTCd wT/rwJGbziPbLN6OAms8L55Q2NOVU86Socl0UAq5Qz1ekSd+/4Ln81t1jM95beVl KiNIZlE4uA4Jal6U3S9cgKqVaZkxLOfehC9GuNQNTJTGnrmE7fDkkpMO+cQvXRlk 2VVhALeXNOxOqr8OqOuas3fL8rGf2gCz9R+xx7E99Me6726jxr0PW1IHbX04gFlq MYwFlLudxft7aA+T8V4C/cpQpw5VPHRclARFCkgcQiF0A38BOrwb8rodOJu5Qy6j +4s5IeE6k4Kiu3gmvnEMY/t5CyuDo6M5O4gnAw6nI/O0l68frfGOV6uxnRQ0T2Jd 90fpe3bwsgHIAuGSNnVxnw6lvTa8xSTmpH+TSpulZHYQ1JNLMDVlkopUI2fPSthk kaQMnO+Mn/MNoByKd+h+FDt1yHt/QHLHHWj+O9pzHAxkk+Rhx8pO53shQAJ8iiQ6 T9hX6ZL1KOljNJs708ptC9bTCbCNpwNT6SGHIjF4qYkPYLuW59cvDlMlVdrwffA8 wYOwderDtD2npHfTrh2IQLATRUG7zIM+LL4ESmihDpBDJz61FV/9/QXgCTpKNd/3 1BLUjTchjOcoKhAZ35vewKUp8NdUfeKpzM/Q0lE1DjAXaY5SqITRYmxZXM295Xmy 3HpQb1PNten3b0EGTYY0BTn2I7BLYKh15iI513Kgc4t+VodPTBleh4vxzBilGOkt xa6ahXsTzx2YEV5swCfKdQgRXWwHZOB0iBx5lsPiLMfPldJEFWwYR9z9EXnIh7Ea Bq5S4YZbPvNehCtXerxhzbvGR50FQX0NsScy5STOs5l0AhMY3qLA8a17UFCX38Ve IeOVq6bPkaibCoGle+ZXBFy6zjYd7o0g0yjXoY3nxAAuNjdDj5+tlr8gchxhfeI0 Y93un2VfdWdZvmSLuWLrXPcZqyP8Anvw3/7Bki0gpfKbKBpKxyiXzebwtmRAGquV l2XfudUNIbfcH0PIV2trYibyww/6O3tAANEt5ILy7nJzFlox/y+mUykh36GGIqMV 8wzI/kTRfSewCTmWVLF6fkSOO+ESHNuzg/RKWhxknWVaK7r50g0pTg1LzpyCbphK 9QUXytmrrKAfGMI6tHd0cqAZ4NwH3KdSRoVUlcjw+HRTDwI2XEzFw7aJUDdSiPNZ fdGKPmjcb8LOwfYg3rfae7kOAAVvOmDFq5oJo/ifH9CB7CSbyvU27tpYXaP+wz1K Y3cXXeJSd7TPcwfALxKBdeE36dObAa46MQ8NYYAKI5za9yVJE2VTSl0ctAsXYAxW FJn8demRUNRuiLAwjJTfRXJ6siiLFu/K79FScRWjBheCRd7H06tI3C+1HJ9u8Oxq ieaUKsK3uI6rhMzSaeEsbt/CnhWqCW0QNZWj638EnPjdWGehFDUuMSU1z9F53hB5 gkBw6RLSMb7SL8tnqQclu/uUea1LljijkAZ3OWJ3dWx7ZirKDVTBgbMlVvFfHmQm SqboUvQ3R6LS579WIMJggYzOgjqqS8Hqp+t04+tz9HW+nrvPz3N+n+kmLDwJLSxe zQY6m5C5nyQDmPSgDQcbtdeoAdlAT1mzfcY39xkjhdCG4aqjqotkqBFOssNKSCtE 2/6Fm9AL7NO5GGMvWH11AyxMY6g1CfdGdHBjUZ2uxoo3j+GYKgsD5MAUyk5VglPh Fa/oc/cl50fShmVi3PNoaXyoqgS+rm4EkBAVhBC3IT9HJTnCrWM+W8KQY3IR/wQk xpAWJqV72SbGpLtVPqJJlUgo9fKZOgpik/iHKpq/80llkX7j06BsYA7tYZNs/HDL wH0taf5CfGflW3cUaEKWgNPYsx2kmjjKgIZCm4mYs+7FNI/OHA4WRhHmgA2b5ZRH kcxVwQmcFc7z2zJIjPAH6wW/cs0f1QzACcy+qek4jHnmNfX7mHUps+wJOl+5abZ5 OBN00WW2L2dlOn39SuWYMOK/4Tf59WDuH5uOhRJloh2Gfkm6Am1W4f96GDy+M2R3 sjZn926F4jgQ9DnwbTm3JZLl0n2jggmqm959dOklaiqyNoy/pAJ1dZJ1BJ6xw7Ke Dt4Ix15OmOA8g8kWT9FnNfulKVYZaFwBug+H3LX6nEqSrAj04Btd8i0ZSw2ieZWT OIdixoGYw145q4QOsJXPFGGD7/U6q7a2NN5EMuy4MpNPUEBFNihS0SKI+LhF0F2K tpwTroVSyUZqtWotkK9CeHMcfWqFdWjkWWaeyjzDfyVN2WT7ncWmrS1wbJ+Dcxfy 9grJUdFeejCdvneYkULI7AAFJcYApsRkp3FAAKug+RO+oDCQx4yAqnsLBik3rdMq PWXwlGermPsWH8cFDT/LhNOJAPI/sdo3MD8GbNqdh4QducVv2uaj2ZnFeZzmOvan HkxlEdfswJZIneZBcZmhErx54y9JkR2Gw+smkNsjWCxzTQlTajdhdXKWIOL1AjDv zz47rgIWPeLMMmTdOIpotpDoo1/uyY8Fv+HG959RUVChlxAeBv//yA7eXBzwtBTk Seh/BRVQGarfRTKZBePMNC1TmP71Lkc6JfBgUXq6/KRCvIkLjn1rhTXBEm9VgNYS cqeoNZgETtXGchT0Ci0JG/bqNmRxcJi2vn1ftoBxNVFrbQAOic57ZYei5K193vhB zX9Ak36auKV7SvPtCxfaLFd2ddNGN2oWprp+6Y99WqQJGxMT4rCiTvAZmKtYkNNr XfAJkKpJ6yJwC7KLC0M48ROYGLwx9mc3xmMbUKAuZbjikr47tYkJNO64LTuJqX+E kKahWdG/lP4Wg5FDaDYtkL8fysQq7wARqRAsoSgjUG7xDUgtxWii8ZK0puhOp2+l /sSJujf+sCaDST16WHlTKII2Ll+Uc6teAA0sql416b2YfxaF4S+yM4dQmyh50sJq TmG7kmdKhXpGOYCazBSRhrDYCbLk+u+QapoEhAgJCBfMn9bS6V6rtA8atkvkewLM Kv6GCL99E8ekjvWIgI7cRIGsx5elDa96v/XH/+jQt26sfdPJycvpcJtJmY0YM1ba ipjAiBT55EvuyPc1jLk4wJh871c5vCTQ2YVEN2HQKfyFatx/Y8qVkRg+b1t6FZZf nBQOMEShjjTrGaU8ocGO9djugsLkwTy6sInpd8vEiISRcX8n9fjJCyQzql/KMrwF RwkgzACkkd5GNrtPS1m9oS2Afkzt4/z1IdX0HULrolYa4f1Tua7hxfcqM//qDoHa O576JRLByuMi70t83J8TX8HSk0xvuSI4zt9uSnMq+3AXjhWbY08G4saL+MHVQ9vF 9++Zkhbg+AZEYxhulBAcIRfxolclLk/zJQGyXjPnFVGehOij6VlLo6o+TrHbjhdl kvPEkCiwVnDmX3uARm6sfa9CfTrFLIj9/krIE/9axG4M/HDgStpXHxfcIyruPDN4 zdz1w5WH4SSQ1MG/p/vNkNuwsK5lnux+cb6At9Xhc2mXX90/a+HbDCkE486R1LjX LqpN1fSigIFvwJpbHOsBoE+MzUfpzHPIBsDrrz90xyjMvaCMFlGmCa9HCW571olG wXdaOPpK44rHUK7SmnQh+vFHBtkSbeA6LjDpHFpvq1z6GYQ//Hl0C1dxVGE1+5Hk daTGzGmls6w5PXCFQpocaSSVS30KfTUkbymze+LPeBWwBxR1xxRmAQ5HKfMIful8 k5Uq3IVpFrtaHA32m9Jvk84hDMnwz81sOF2PodsddJ/wKWd4Zv7TErHJmjqSSI4U XuvwR6EmFn6lSLyNWnRraT6NcFfQQS5D3II+RGWZa5P5qtihc3HtgRMyOuAzcmyu Ulq92QqI3bjuEAxEw5BkWNTJMdpiXD6eC/8hmwROINLe6Ylbo4f7IlTpssgfJZ9w tbyd9ZCvutNbi/bmLwVhzmsTOEJ6UpS/ramSawR6fd6fgV3kS1BsfEOn48TImK9J XhPTMVve2FsqEcfunQXbC8kxh9lQqVo6KHQtc4Hxd8b14uV1GGibJnp/CtJzT8GY oD1UALj3JCYC2+cGf1Vw5U+KMRkooyr6MRA/7JVayNr/22HW2zW5ZBWd1jhTQvfO OTJDdIuL7iWlcTXxL6RpS/lrp2G6FbT7eAhDgQsURlGzV8jG4vxNUpAcHBcOiuOL </textarea></body></html>

Signatures

Exorcist Ransomware
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Renames multiple (188) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-18\desktop.ini	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\N:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\H:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\G:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\F:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\K:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\O:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\A:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\Q:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\T:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\S:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\R:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\U:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\P:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\L:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\I:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\E:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\B:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\W:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\D:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\J:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\Y:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\X:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\M:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened (read-only)	\??\Z:	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 2e523313ceec2630f41c0e350016420e19f0ab0c7f0116ea44b1f8234228b299	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 3337679cfe997835440d4bbc3395485aba63475b60647eaceeb30d947c198221	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 185bef219761cbcbe9fc5fa70fd15400694fb21efb6635e9dd7de75839170af3	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c00500069006300740075007200650073005c00460069006e00640043006f006e007600650072007400460072006f006d002e0063007200770000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 2efbb5014abad88065c012e20fff58ad8898d33ba6e370bbdcccddf753c34701	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 0f7430d97ce8ff3cffdcdc9fd5ebd01489a027d32fc389deefaed7cd9e31095d	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 3e21a276dcee9c5b1aa62ae4cd5088f41b42a314831e09df5e7119033f5ddc07	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0047006500740043006f006e006e006500630074002e0078007000730000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 787eda69e84676e6ef5afcb74e8bd4de89e20b0c366b9e858fb6f67c63a5e48c	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 43ca3617148022ed487940c923f63385e2e750310f11d460a082036ac39d7357	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 0de3bcaaa41476e21957f525ca9c623da62d5dcc0f4835e8d2c169220dbab952	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0055006e0062006c006f0063006b0055006e00720065006700690073007400650072002e0078006c007300780000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 2181f3ad241afeda0fd9a729b3b96c67dfc3a254d88972f1d5b90ae476595ee0	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 7f024c1db0f6d648e6d50cdf6be69a08dee1ad0bbf808dea5162bff2e16e7785	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = e0431ddd87e954f14815222a5cb9569ae3d17ad8c7628e4e58b95c0d02a845e0	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 818145b12842c35552d1d03d0db3b61ff781eed5d2af8162461eef35873c81f3	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 02ff707143945dfabb22489318055a400d768df7326e1f9ce9d9090282d2944c	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 17985a671ec9d0d0afd9b4a79611c45d125f91b4b5d964aa9d42224b20b34039	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 18ce6d4ba181f86607422274c3e6f7e9e68e924915e1479b624a876ae61e5ffc	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b70558ab3d8816e411ae7bc426153a90acd440f0a06fbbd4f2bae25b39b3f0da	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c00530065006c006500630074004d006500610073007500720065002e005400530000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 771af22fdb7fd84db0ebe18efd39f8790fc1fb1d8dfda2ba7a164706c99a0a04	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0047006500740054006500730074002e0067006900660000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 4ff378deeb6c7cc6298203f18e8e7d1379eef172f974e493787e0d9ebdace484	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 807ef9fbd5bd83e06c776ae69cc5fd09970ba12bbea9452e7a1f9943dd3f6fd8	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = af628f47828fa0ce752195a634fe0f1ec7edb2abf6a61f7a6e1faff51ab098c7	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004d0075007300690063005c00520065006e0061006d00650045006400690074002e0070006f00740000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 0c557cb1f2cf38c74dea0e6042d02722fe3afe56c05ec2555f1ed37332d2de00	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = cca18f4c3d88630b2c4932d57a17eceeb53e83265a7e1b57eb1fa392a671bcb1	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 1fbdbf3067e956d598f23495accbcb653a1193ac134b2fe579ef7f468f5cec96	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{83bffa96-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = bd6f3e791d4fb95821a55836a0918920ff08ef63105d083a27b67ba65aef7ae5	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 6b7e89d55ebdea4b910d38ade18a2284127ccc91eae95a28835c7cd4b4893294	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004d0075007300690063005c0043006f0070007900520065007300650074002e0078006d006c0000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c00500069006300740075007200650073005c0049006e007300740061006c006c005300750062006d00690074002e0065006d00660000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 8579217844c90bee71886e571d2227dc9ac781c21c1669b367d7c0a92220c314	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c004200610063006b007500700055006e006c006f0063006b002e0072007400660000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 33e83c9624b9ca4372c65c0352616ce8f9fb3ba467b508fabe204a47fb65ea0a	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 09552c09bb4fad682d91c56b15f45feae8aadf3bb7d6811dadcf3f477d299020	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0045007800700061006e006400570061007400630068002e0070007300310078006d006c0000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00460069006e00640044006900730063006f006e006e006500630074002e0078006c007300620000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = c6be45a00904f1ecd6b7e090e6e4b9e38638f9fe334a3c014e5ca1851ed9b955	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 87f740e2cff16f4aa49662c262ce5894466c162e9a96e4231fe2e44c0dadfc1e	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a4a2aff6476229e642c965f60672ac3429d25fdd09ed0d2575309bbb7ac79730	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b5b6693c9715adb365b71954b63ca6b00665301a0ade3980cb80be21e61930e1	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = fcfe062efd19160a001a01794d9e72cfe310b1aff7515bb34c2461d06e75b5ff	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 2af977a44a7ceeb5cad66b78f068aa9477a9de1520c5edf28e2078b9838ed55a	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 51fb036aa176bc4504293254c1f25fbd49d58fd9981de38ffa15c1729554f4d7	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = d68c8aadf3a0d167288dd50f1f2e19fd5111d82de7ad42b4883ecf89482d5b60	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b42dfcf6e36685f1392c0b087a96eadc7ce4fd58a03c9fafa57626d0333b0f25	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c00500069006300740075007200650073005c005300750062006d006900740053007400650070002e0077006d00660000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004d0075007300690063005c0053006500610072006300680048006900640065002e0065006d00660000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 86137ede1b3d82e22f74a83efaa7e87563f69b98639dd5b35bffd90ff9cf185d	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = a970b86c89751e574c08dc0200b17ebf5f8fde20cd378610fdff202987f99300	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c00440065006e00790053006100760065002e00680074006d0000000000	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = f19e575555926bfb6ec94f0d584ea617326851ce7da7dfdb258f637743ed9793	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = ce15eaf90af93f56ca58e64bff3d039b529f4dfaab2fe174730743b2fbdc3b3c	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = c01a12fc44462c4e742cff0cdf0cc3ce5e5994b4777d8c8298ec2b8c7ef9a415	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 01927994e6817ff172edc6254c7a7cb252e85e9370857255a0816b427428fd3a	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 43ac7f02f8d03fc43011cf74244ebe7106f9dab1dd9ed7ce76128ffdb6bfe10c	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 9718fc63d4951c75b9dbd82b375a9b351b25a9136562b4169b20a173ece42ab7	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = dfc5a7eb062b92cc697707e5a4c8f76faadded597804b6ef37d711ced873180e	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\aUm63Y\windows.sys:qvqhfjkvnrdtqgtt	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\J6nS3d\windows.sys:dhpkxqkdun	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\MUlljO\windows.sys:qxoyhxveerelbnrwg	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\J6nS3d\windows.sys:dhpkxqkdun	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Token: SeRestorePrivilege	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Token: SeDebugPrivilege	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Token: SeSecurityPrivilege	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Token: SeRestorePrivilege	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Token: SeDebugPrivilege	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2724	WMIC.exe
Token: SeSecurityPrivilege	2724	WMIC.exe
Token: SeTakeOwnershipPrivilege	2724	WMIC.exe
Token: SeLoadDriverPrivilege	2724	WMIC.exe
Token: SeSystemProfilePrivilege	2724	WMIC.exe
Token: SeSystemtimePrivilege	2724	WMIC.exe
Token: SeProfSingleProcessPrivilege	2724	WMIC.exe
Token: SeIncBasePriorityPrivilege	2724	WMIC.exe
Token: SeCreatePagefilePrivilege	2724	WMIC.exe
Token: SeBackupPrivilege	2724	WMIC.exe
Token: SeRestorePrivilege	2724	WMIC.exe
Token: SeShutdownPrivilege	2724	WMIC.exe
Token: SeDebugPrivilege	2724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2724	WMIC.exe
Token: SeRemoteShutdownPrivilege	2724	WMIC.exe
Token: SeUndockPrivilege	2724	WMIC.exe
Token: SeManageVolumePrivilege	2724	WMIC.exe
Token: 33	2724	WMIC.exe
Token: 34	2724	WMIC.exe
Token: 35	2724	WMIC.exe
Token: 36	2724	WMIC.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 2308	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	86
PID 728 wrote to memory of 2308	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	86
PID 728 wrote to memory of 2308	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	86
PID 728 wrote to memory of 1616	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	88
PID 728 wrote to memory of 1616	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	88
PID 728 wrote to memory of 1616	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	88
PID 728 wrote to memory of 1288	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	90
PID 728 wrote to memory of 1288	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	90
PID 728 wrote to memory of 1288	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	90
PID 728 wrote to memory of 1028	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	92
PID 728 wrote to memory of 1028	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	92
PID 728 wrote to memory of 1028	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	92
PID 728 wrote to memory of 2860	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	95
PID 728 wrote to memory of 2860	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	95
PID 728 wrote to memory of 2860	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	95
PID 728 wrote to memory of 4572	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	97
PID 728 wrote to memory of 4572	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	97
PID 728 wrote to memory of 4572	728	9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe	97
PID 4572 wrote to memory of 2724	4572	cmd.exe	99
PID 4572 wrote to memory of 2724	4572	cmd.exe	99
PID 4572 wrote to memory of 2724	4572	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2308
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic SHADOWCOPY /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY /nointeractive
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3D Objects\DECRYPT-QCDPay-decrypt.hta

Filesize
6KB

MD5
fc66062dab9008e38a3e9a1e0ed03cf1

SHA1
03f040682bd9db182b66d0d24169ede354376386

SHA256
681265a65919cd9000154fc2ce7dec3689546547a47b38b0672032e77d35b78b

SHA512
278bc9d720e12a463fae1afff5c09a30dbe874b39b375feb528db73a04ef43055bbe03739376df31cd7f1be8da6a0329c0d1af2a6e25f97e58a638de00397516

Download Submit
F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit