Description	Indicator	Process	Target
PID 1640 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Local\Temp\PCToaster.exe	C:\Program Files\Java\jre7\bin\javaw.exe
PID 1640 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Local\Temp\PCToaster.exe	C:\Program Files\Java\jre7\bin\javaw.exe
PID 1640 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Local\Temp\PCToaster.exe	C:\Program Files\Java\jre7\bin\javaw.exe
PID 1640 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Local\Temp\PCToaster.exe	C:\Program Files\Java\jre7\bin\javaw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PCToaster.exe

"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

Network

N/A

Files

memory/1640-0-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2680-3-0x00000000025E0000-0x0000000002850000-memory.dmp

memory/2680-11-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2680-13-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2680-14-0x00000000025E0000-0x0000000002850000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 10:40

Reported

2024-05-31 10:43

Platform

win10v2004-20240508-en

Max time kernel

106s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

Signatures

Possible privilege escalation attempt

exploit

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\icacls.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\takeown.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\takeown.exe	N/A

Modifies file permissions

discovery

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\icacls.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\takeown.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\takeown.exe	N/A

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\G:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\L:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\P:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\S:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\W:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\V:	C:\Windows\SYSTEM32\takeown.exe	N/A
File opened (read-only)	\??\A:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\E:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\H:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\J:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\K:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\M:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\N:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\V:	C:\Windows\SYSTEM32\takeown.exe	N/A
File opened (read-only)	\??\R:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\Q:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\T:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\Z:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\O:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\I:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\U:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\X:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\Y:	C:\Windows\SYSTEM32\mountvol.exe	N/A
File opened (read-only)	\??\B:	C:\Windows\SYSTEM32\mountvol.exe	N/A

Checks SCSI registry key(s)

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	C:\Windows\System32\vds.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	C:\Windows\System32\vds.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	C:\Windows\System32\vds.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	C:\Windows\System32\vds.exe	N/A

Kills process with taskkill

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SYSTEM32\taskkill.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SYSTEM32\takeown.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SYSTEM32\taskkill.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	N/A
N/A	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3208 wrote to memory of 2788	N/A	C:\Users\Admin\AppData\Local\Temp\PCToaster.exe	C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 3208 wrote to memory of 2788	N/A	C:\Users\Admin\AppData\Local\Temp\PCToaster.exe	C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 2788 wrote to memory of 2536	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\system32\icacls.exe
PID 2788 wrote to memory of 2536	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\system32\icacls.exe
PID 2788 wrote to memory of 5004	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\attrib.exe
PID 2788 wrote to memory of 5004	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\attrib.exe
PID 2788 wrote to memory of 2364	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\diskpart.exe
PID 2788 wrote to memory of 2364	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\diskpart.exe
PID 2788 wrote to memory of 1308	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\takeown.exe
PID 2788 wrote to memory of 1308	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\takeown.exe
PID 2788 wrote to memory of 3464	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\takeown.exe
PID 2788 wrote to memory of 3464	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\takeown.exe
PID 2788 wrote to memory of 3348	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\taskkill.exe
PID 2788 wrote to memory of 3348	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\taskkill.exe
PID 2788 wrote to memory of 3708	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 3708	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2980	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2980	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1196	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1196	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2468	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2468	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4220	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4220	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2952	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2952	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1632	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1632	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4872	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4872	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2140	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2140	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 3780	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 3780	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1548	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1548	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4868	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4868	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1028	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1028	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4384	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4384	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4416	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4416	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4020	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4020	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1716	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1716	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 736	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 736	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4228	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4228	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4980	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4980	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4976	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4976	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2372	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2372	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2164	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 2164	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1988	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 1988	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4640	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe
PID 2788 wrote to memory of 4640	N/A	C:\Program Files\Java\jre-1.8\bin\javaw.exe	C:\Windows\SYSTEM32\mountvol.exe

Views/modifies file attributes

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SYSTEM32\attrib.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PCToaster.exe

"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\attrib.exe

attrib +h C:\Users\Admin\AppData\Local\Temp\scr.txt

C:\Windows\SYSTEM32\diskpart.exe

diskpart /s C:\Users\Admin\AppData\Local\Temp\scr.txt

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SYSTEM32\takeown.exe

takeown /f V:\Boot /r

C:\Windows\SYSTEM32\takeown.exe

takeown /f V:\Recovery /r

C:\Windows\SYSTEM32\taskkill.exe

taskkill /im lsass.exe /f