210223de4b6b3fb33d879ffb7df1e6b6cc7223f24603b2296852066ee3db3f43

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
Size

616KB
MD5

56574c4691f454ea2c19454b7fc40905
SHA1

cbbfd3d72456c071ceef8ff4bf84106ca1062c6f
SHA256

210223de4b6b3fb33d879ffb7df1e6b6cc7223f24603b2296852066ee3db3f43
SHA512

81f0de49b8e96d6422fb0f92f0799cac469d840b35e5f1ff48f9b2ae56104983ab4a17633def840868cd3c5db7b729d2f72d9f65590dfa0efcc95ba0b8980cdb
SSDEEP

12288:5v/fMH3Mu7vOlM7CjCkczgmziP+1RTwu7vOlM7CjCkczg:5v/fMfvQjCM+3vQj

Score

10^/10

defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+hbcbr.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://p57gest54celltraf743knjf.mottesapo.com/52F82C213F152C9C 2. http://k4restportgonst34d23r.oftpony.at/52F82C213F152C9C 3. http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/52F82C213F152C9C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/52F82C213F152C9C 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *** Your personal pages: http://p57gest54celltraf743knjf.mottesapo.com/52F82C213F152C9C http://k4restportgonst34d23r.oftpony.at/52F82C213F152C9C http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/52F82C213F152C9C *** Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/52F82C213F152C9C *** Your personal identification ID: 52F82C213F152C9C

URLs

http://p57gest54celltraf743knjf.mottesapo.com/52F82C213F152C9C

http://k4restportgonst34d23r.oftpony.at/52F82C213F152C9C

http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/52F82C213F152C9C

http://fwgrhsao3aoml7ej.onion/52F82C213F152C9C

http://fwgrhsao3aoml7ej.ONION/52F82C213F152C9C

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (880) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

hfpxbsciafqf.exeabxdx.exe56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exetbwin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	hfpxbsciafqf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	abxdx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	tbwin.exe

Drops startup file 6 IoCs

Processes:

hfpxbsciafqf.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hbcbr.txt	hfpxbsciafqf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hbcbr.png	hfpxbsciafqf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hbcbr.txt	hfpxbsciafqf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hbcbr.png	hfpxbsciafqf.exe

Executes dropped EXE 4 IoCs

Processes:

hfpxbsciafqf.exehfpxbsciafqf.exetbwin.exeabxdx.exe

pid process

4676 hfpxbsciafqf.exe
4576 hfpxbsciafqf.exe
3476 tbwin.exe
3280 abxdx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4676	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
3476	tbwin.exe
3280	abxdx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hfpxbsciafqf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12_23-dst = "C:\\Windows\\hfpxbsciafqf.exe"	hfpxbsciafqf.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exehfpxbsciafqf.exe

description	pid	process	target process
PID 1836 set thread context of 512	1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 4676 set thread context of 4576	4676	hfpxbsciafqf.exe	hfpxbsciafqf.exe

Drops file in Program Files directory 64 IoCs

Processes:

hfpxbsciafqf.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\Recovery+hbcbr.txt	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-24.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-lightunplated.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-unplated_contrast-white.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\Recovery+hbcbr.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\Recovery+hbcbr.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteSmallTile.scale-100.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxMetadata\Recovery+hbcbr.txt	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-30_altform-unplated.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\accuweather.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\Recovery+hbcbr.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Recovery+hbcbr.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+hbcbr.txt	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-100.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-64_contrast-white.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyStoryCover.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-200.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\Recovery+hbcbr.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg4.jpg	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\Recovery+hbcbr.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\Recovery+hbcbr.txt	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_altform-unplated_contrast-black.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\Recovery+hbcbr.txt	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-100.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-200_contrast-white.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\Recovery+hbcbr.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-125.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-fullcolor.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-100.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSmallTile.scale-200.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\Recovery+hbcbr.txt	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-125.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\Recovery+hbcbr.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker32.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32_altform-lightunplated.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlCone.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\Recovery+hbcbr.txt	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\Recovery+hbcbr.txt	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ringless_calls\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\Recovery+hbcbr.txt	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-200.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Recovery+hbcbr.html	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Recovery+hbcbr.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.scale-100.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-colorize.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-96.png	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	hfpxbsciafqf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PayStoreLogo.png	hfpxbsciafqf.exe

Drops file in Windows directory 2 IoCs

Processes:

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\hfpxbsciafqf.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
File opened for modification	C:\Windows\hfpxbsciafqf.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1688 vssadmin.exe
4204 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

hfpxbsciafqf.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings hfpxbsciafqf.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5012 NOTEPAD.EXE

pid	process
1688	vssadmin.exe
4204	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	hfpxbsciafqf.exe

pid	process
5012	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hfpxbsciafqf.exe

pid	process
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe
4576	hfpxbsciafqf.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1196 msedge.exe
1196 msedge.exe
1196 msedge.exe
1196 msedge.exe
1196 msedge.exe
1196 msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exehfpxbsciafqf.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	512	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
Token: SeDebugPrivilege	4576	hfpxbsciafqf.exe
Token: SeBackupPrivilege	432	vssvc.exe
Token: SeRestorePrivilege	432	vssvc.exe
Token: SeAuditPrivilege	432	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exehfpxbsciafqf.exe

pid process

1836 56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
4676 hfpxbsciafqf.exe

pid	process
1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
4676	hfpxbsciafqf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exehfpxbsciafqf.exehfpxbsciafqf.exetbwin.exemsedge.exeabxdx.exe

description	pid	process	target process
PID 1836 wrote to memory of 512	1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 1836 wrote to memory of 512	1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 1836 wrote to memory of 512	1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 1836 wrote to memory of 512	1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 1836 wrote to memory of 512	1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 1836 wrote to memory of 512	1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 1836 wrote to memory of 512	1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 1836 wrote to memory of 512	1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 1836 wrote to memory of 512	1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 1836 wrote to memory of 512	1836	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
PID 512 wrote to memory of 4676	512	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	hfpxbsciafqf.exe
PID 512 wrote to memory of 4676	512	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	hfpxbsciafqf.exe
PID 512 wrote to memory of 4676	512	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	hfpxbsciafqf.exe
PID 512 wrote to memory of 4936	512	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	cmd.exe
PID 512 wrote to memory of 4936	512	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	cmd.exe
PID 512 wrote to memory of 4936	512	56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe	cmd.exe
PID 4676 wrote to memory of 4576	4676	hfpxbsciafqf.exe	hfpxbsciafqf.exe
PID 4676 wrote to memory of 4576	4676	hfpxbsciafqf.exe	hfpxbsciafqf.exe
PID 4676 wrote to memory of 4576	4676	hfpxbsciafqf.exe	hfpxbsciafqf.exe
PID 4676 wrote to memory of 4576	4676	hfpxbsciafqf.exe	hfpxbsciafqf.exe
PID 4676 wrote to memory of 4576	4676	hfpxbsciafqf.exe	hfpxbsciafqf.exe
PID 4676 wrote to memory of 4576	4676	hfpxbsciafqf.exe	hfpxbsciafqf.exe
PID 4676 wrote to memory of 4576	4676	hfpxbsciafqf.exe	hfpxbsciafqf.exe
PID 4676 wrote to memory of 4576	4676	hfpxbsciafqf.exe	hfpxbsciafqf.exe
PID 4676 wrote to memory of 4576	4676	hfpxbsciafqf.exe	hfpxbsciafqf.exe
PID 4676 wrote to memory of 4576	4676	hfpxbsciafqf.exe	hfpxbsciafqf.exe
PID 4576 wrote to memory of 3476	4576	hfpxbsciafqf.exe	tbwin.exe
PID 4576 wrote to memory of 3476	4576	hfpxbsciafqf.exe	tbwin.exe
PID 4576 wrote to memory of 3476	4576	hfpxbsciafqf.exe	tbwin.exe
PID 3476 wrote to memory of 1688	3476	tbwin.exe	vssadmin.exe
PID 3476 wrote to memory of 1688	3476	tbwin.exe	vssadmin.exe
PID 4576 wrote to memory of 5012	4576	hfpxbsciafqf.exe	NOTEPAD.EXE
PID 4576 wrote to memory of 5012	4576	hfpxbsciafqf.exe	NOTEPAD.EXE
PID 4576 wrote to memory of 5012	4576	hfpxbsciafqf.exe	NOTEPAD.EXE
PID 4576 wrote to memory of 1196	4576	hfpxbsciafqf.exe	msedge.exe
PID 4576 wrote to memory of 1196	4576	hfpxbsciafqf.exe	msedge.exe
PID 1196 wrote to memory of 2924	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2924	1196	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3280	4576	hfpxbsciafqf.exe	abxdx.exe
PID 4576 wrote to memory of 3280	4576	hfpxbsciafqf.exe	abxdx.exe
PID 4576 wrote to memory of 3280	4576	hfpxbsciafqf.exe	abxdx.exe
PID 3280 wrote to memory of 4204	3280	abxdx.exe	vssadmin.exe
PID 3280 wrote to memory of 4204	3280	abxdx.exe	vssadmin.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe
PID 1196 wrote to memory of 2864	1196	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

hfpxbsciafqf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	hfpxbsciafqf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	hfpxbsciafqf.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\56574c4691f454ea2c19454b7fc40905_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\hfpxbsciafqf.exe
    C:\Windows\hfpxbsciafqf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\hfpxbsciafqf.exe
      C:\Windows\hfpxbsciafqf.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4576
    - - C:\Users\Admin\Documents\tbwin.exe
        
        C:\Users\Admin\Documents\tbwin.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3476
      - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:1688
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:5012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe97e146f8,0x7ffe97e14708,0x7ffe97e14718
        6⤵
        
        PID:2924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4636874859858632406,14252889267734379023,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        6⤵
        
        PID:2864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,4636874859858632406,14252889267734379023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        6⤵
        
        PID:1728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,4636874859858632406,14252889267734379023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
        6⤵
        
        PID:3260
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4636874859858632406,14252889267734379023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        6⤵
        
        PID:4936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4636874859858632406,14252889267734379023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        6⤵
        
        PID:3200
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,4636874859858632406,14252889267734379023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:8
        6⤵
        
        PID:3892
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,4636874859858632406,14252889267734379023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:8
        6⤵
        
        PID:1620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4636874859858632406,14252889267734379023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
        6⤵
        
        PID:2016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4636874859858632406,14252889267734379023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
        6⤵
        
        PID:3716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4636874859858632406,14252889267734379023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
        6⤵
        
        PID:1356
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4636874859858632406,14252889267734379023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
        6⤵
        
        PID:2800
    - - C:\Users\Admin\Documents\abxdx.exe
        
        C:\Users\Admin\Documents\abxdx.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:4204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HFPXBS~1.EXE
        5⤵
        
        PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\56574C~1.EXE
    3⤵
    PID:4936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+hbcbr.html

Filesize
8KB

MD5
17a82af4e7a109ad89ff8a4aee60f879

SHA1
57be246e61af0d28355f45c1388fd2aab73b3f16

SHA256
a42e66692f8e6d25e2d213ffa15ec5a32083670ab577d23306e80158809d5413

SHA512
f8436dd713ffdcda51046dafc2fe3bc009ee645ff049eeefa8c36bb1f26c7460d624699e964a4651d9e6cba8d131a8b6149d4f3317c8619b778cf058f7c63363

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+hbcbr.png

Filesize
66KB

MD5
5394ed9c21c0efd9ce03e427e382b6ed

SHA1
2bb3be5fc4999fe9ffcf188da50b01b6f51b8741

SHA256
a1ba8b9a0f420eff9b24081e84c05c923c2eb7b6d248f226441e55def8d6cf4f

SHA512
5017e866244298c6442073dade303e88c4cbbc725e260587ae1c4feba69cee06bf5500c0bee6561a4a1d48fc4e055a47eebd82e0062da7d5e2bdd2fbe6a9f387

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+hbcbr.txt

Filesize
2KB

MD5
e0af5d85da54ed1ad2601e447b8d8198

SHA1
0a629a3e00f842f42a6e20097977866642e0d1be

SHA256
1aa17f8faf16a4b7783ac52d13748b1a092e38d4bf78f3400cc584622d57b8e1

SHA512
752578b98645e115394b6e13e485f7704b4445f301eefa1faed3b3e3276056639c6e4eee565196bfa6e2841cc7138a61c2da78aa1842529648eeeca872cffc35

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
69db5dd46b6ae86bac8405d1b4bc5d69

SHA1
4a83175e51d7c79ddd1e5a603d11a63614bb2bfa

SHA256
386a1b3919d2599fec768bd1c5ee014207e51ea26ae50f5a812b8de1468965d7

SHA512
272e70694988b7bd7c823047847f6f49e4c17e9997cb3b2e5352e5c41018e32483b5efe145843d8d80a98bf6f25440a227a98d9ccc3d77d108658a50b011e3c2

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
51c14a240ab26fd65e9af090439f223a

SHA1
aea9fe0e0516db02d99ca448d469c05705494533

SHA256
1c8258866be4d84ce11718c355ee412798e6c717433a32be2003ea987ce7199b

SHA512
ce482920fed6d0026d125867cc254dedede606b8afdf3498c2e0009b3e92729d0310c28cca53648930a88b752204acdfb2ac0a966bba3caacc1e277fd2d1aa98

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
34e798a25a4b27b3804697be31a4c2c0

SHA1
f717f1d2e28c9414dda9fcfee153106e3d138ba8

SHA256
c41cbe47048dbf160941b9859356d027a992eebaa487d7720e17abeffbfcc060

SHA512
63aa20fe739aa536b06e31bc12823ff49fe8687b9f8f89dd694b4ddccc19930b23cdce0ee70ecbe2ec777c5102c74e3a0b3004cea3f7c49b0af5fbc349e5dbc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac602eb187bfdde88de1032ea6b0356b

SHA1
7d74fa2d6947be46a6d9a14ff2cb7cd5a0b373a7

SHA256
cfd0e638807cb7d3d5a7010b26f27746337343c1e9666ca96ed53fd125300d50

SHA512
cfb6932e8c1e0a5f34e76d7075b133d83f55a2e9f05ba2d9321f5cec9a220ff53320ad4a6ff6b7620431c1d1953b373e734966ba6167e67e8f1701ff49c727cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
62b4c158388c04ebb083c58da5d5172c

SHA1
6cec19ff7bdcca5d9cd2449e73272a4bdf233a58

SHA256
94e5bcb9c1b37efbe277d4ef3d0610174036575f507d71dcbf7a05cdccc75476

SHA512
949d0e70fc880169b78f6cb4ee2b16953ccd96a64a185b685186995ba5930e82501657f9bd34dcd5e21c505136b83b438e5f40654e9b6c43e12f3a40dc9da25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c887c19c068b053cea058f08775c787d

SHA1
fe8caee379957ec485451b14c5f9851f90ba4c23

SHA256
dda8259727a8e919ee15e7828c4c494921f7dc6e705b95ca3dfaad56cb937cf9

SHA512
e43cea949e53d880832102bf2135dbbf58f96e34211a10df3884135e2ebe1fe57960332d8901d22f4f3b9adf8c48cb0f252cdbe4fdb9d7fea7a6968f82a1899d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449526171674.txt

Filesize
75KB

MD5
8ee7726133c4c24344b61563e5cc1e8c

SHA1
36cd76d8512263abdbdc49bf03e73272362f719c

SHA256
ef4cb72ef508a7afb7fa744753698c3b39932bc18644772b39172420fd174ac9

SHA512
46771e65cc38bd8a47fa23942a070069aaac454dcf024868a8702cd32243c2a36de17859c5631de5bf619627f586ea2d05f48787ec5763414f9ff972b76394aa

Download Submit
C:\Users\Admin\Documents\tbwin.exe

Filesize
5KB

MD5
34d3f2e3fd92cd38a103d415dbb22936

SHA1
abdcf16a82cf8d3109ec39203181d839f2154a68

SHA256
5119839eaaf7dfc670c7d2c8a83e74f895e07fab5f22c379185769eed07ece25

SHA512
bc76ed0fe69ab38f66217f4b4aec79947e706136aecc5a42840ccd963799c8c175dc796d92be678b2b1e55d22c3a97fb4b9e00f6879958ae5a5bb2081ae7ad92

Download Submit
C:\Windows\hfpxbsciafqf.exe

Filesize
616KB

MD5
56574c4691f454ea2c19454b7fc40905

SHA1
cbbfd3d72456c071ceef8ff4bf84106ca1062c6f

SHA256
210223de4b6b3fb33d879ffb7df1e6b6cc7223f24603b2296852066ee3db3f43

SHA512
81f0de49b8e96d6422fb0f92f0799cac469d840b35e5f1ff48f9b2ae56104983ab4a17633def840868cd3c5db7b729d2f72d9f65590dfa0efcc95ba0b8980cdb

Download Submit
\??\pipe\LOCAL\crashpad_1196_XQQQIIIHNPXJRKGD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/512-12-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/512-2-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/512-5-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/512-3-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/512-6-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1836-4-0x0000000000840000-0x0000000000843000-memory.dmp

Filesize
12KB

Download
memory/1836-0-0x0000000000840000-0x0000000000843000-memory.dmp

Filesize
12KB

Download
memory/1836-1-0x0000000000840000-0x0000000000843000-memory.dmp

Filesize
12KB

Download
memory/4576-416-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-26-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-4478-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-6873-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-1052-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-9281-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-10401-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-10402-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-28-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-3206-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-19-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-18-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-10451-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-10455-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4576-17-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4676-20-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/4676-13-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download