Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-10-2021 19:56
Static task
static1
Behavioral task
behavioral1
Sample
HotCoffeeRansomware.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
HotCoffeeRansomware.exe
Resource
win10v20210408
Errors
General
-
Target
HotCoffeeRansomware.exe
-
Size
776KB
-
MD5
c054c0f03277f7f0bdad9350fa3d5c2d
-
SHA1
752071b548bb3a4c45c91174fcf5cf95ce99638a
-
SHA256
546f3a70ab029ad78105f1b7cf581038362cfbb3c7120326075552d72656ec98
-
SHA512
783a02a18f15c80c21cb08b9822ab02c0f62a11340edbbc44a364db9d820bda795db086f843ed3c2597d86c2933dc531ebdaa2ab3fc97e3f5e18aa3c437f6576
Malware Config
Extracted
C:\Users\Admin\Desktop\HOT_COFFEE_README.hta
EMAIL@protonmail.com
Signatures
-
Drops startup file 3 IoCs
Processes:
HotCoffeeRansomware.exetaskmgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\hot_coffee_readme.hta taskmgr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
HotCoffeeRansomware.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\7-Zip\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-sl\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Microsoft Office\Updates\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Windows Media Player\en-US\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Common Files\Services\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Java\jre1.8.0_66\lib\jfr\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Microsoft Office 15\ClientX64\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Windows Portable Devices\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe\AppxMetadata\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt.hotcoffee HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fi-fi\HOT_COFFEE_README.hta HotCoffeeRansomware.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\HOT_COFFEE_README.hta HotCoffeeRansomware.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
taskmgr.exepid process 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 1648 taskmgr.exe Token: SeSystemProfilePrivilege 1648 taskmgr.exe Token: SeCreateGlobalPrivilege 1648 taskmgr.exe Token: 33 1648 taskmgr.exe Token: SeIncBasePriorityPrivilege 1648 taskmgr.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
taskmgr.exepid process 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe -
Suspicious use of SendNotifyMessage 56 IoCs
Processes:
taskmgr.exepid process 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe 1648 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
LogonUI.exepid process 2300 LogonUI.exe 2300 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HotCoffeeRansomware.exe"C:\Users\Admin\AppData\Local\Temp\HotCoffeeRansomware.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\HOT_COFFEE_README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aff055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HOT_COFFEE_README.htaMD5
6e7b27b7aefb0b372b672ca6c4105d6c
SHA1690ac02d79345d25b9d68315429c82089e284ceb
SHA2566648a5494ef3ab26252c30c4f63ef76667c718126839ed8ac7bc3496fde8f64a
SHA512f81fd765119651631d439a945cc8ee26f9e3bb80a24e8dbd5ad91d5073b2611cd163a540f9b96b562fed87bc9601811f8d4e3fecca7fc9c016cd18e4a012662a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOT_COFFEE_README.htaMD5
6e7b27b7aefb0b372b672ca6c4105d6c
SHA1690ac02d79345d25b9d68315429c82089e284ceb
SHA2566648a5494ef3ab26252c30c4f63ef76667c718126839ed8ac7bc3496fde8f64a
SHA512f81fd765119651631d439a945cc8ee26f9e3bb80a24e8dbd5ad91d5073b2611cd163a540f9b96b562fed87bc9601811f8d4e3fecca7fc9c016cd18e4a012662a
-
C:\Users\Admin\Desktop\HOT_COFFEE_README.htaMD5
6e7b27b7aefb0b372b672ca6c4105d6c
SHA1690ac02d79345d25b9d68315429c82089e284ceb
SHA2566648a5494ef3ab26252c30c4f63ef76667c718126839ed8ac7bc3496fde8f64a
SHA512f81fd765119651631d439a945cc8ee26f9e3bb80a24e8dbd5ad91d5073b2611cd163a540f9b96b562fed87bc9601811f8d4e3fecca7fc9c016cd18e4a012662a